What is SSL? Like, really…
Okay, so you know what SSL stands for. That would be, “Secure Sockets Layer.”
In simple terms, SSL is used to encrypt the connection between a website and its visitor. When this encryption takes place, it means that only that specific website and that specific visitor can read the information they’re sending back and forth.
Without the SSL in place, virtually anyone can eavesdrop on the data transfer. And I do mean anyone!
The traditional way in which HTTP communication is handled on the web is by sending plain packets that can be read by third parties while on their way between the source and the destination. This is not such a problem when you’re just browsing 9gag, but it can be a serious threat when you’re trying to buy something online and have just input your credit card number.
In other words, here’s what happens when you visit a website that does not use SSL:
The guy in the middle can read the entire communication purely because it’s all happening in the open with no encryption whatsoever.
Imagine talking to someone in a busy cafe. It’s kind of like that.
Now with SSL running:
The communication is encrypted. While people can still intercept it as it’s traveling through the interwebs, decrypting it is near impossible.
Imagine sitting in the same busy cafe, but now you’re speaking Klingon, backwards.
How does SSL work?
It’s all quite simple when we get to the mechanics:
Again, SSL encrypts all data being transferred between the visitor and the website.
For a website to use SSL, they need to obtain an SSL certificate. That certificate is a proof that the website is a legit one and that the SSL encryption they’re using is correct, plus the certificate also holds the information about the public key used for encryption (more on that later).
Here’s what’s going on step by step when a person visits an SSL-powered website:
At this stage, we’ve come full circle, from establishing a secure connection to sending data to the website and then receiving a response. This is how communicating through SSL is done.
The public-private key pair is a simple concept, but it’s all that’s required to establish a secure channel of communication and to make sure that the party you’re communicating with is what they claim to be.
? In simple terms, you can think of the public key as the padlock and the private key as the actual secret combination that can be used to open the padlock.
What’s the difference between SSL and TLS
In a word, there’s no difference.
Okay, to be more specific, there is. But a simple one for all we need to know. TLS (Transport Layer Security) is an updated version of SSL. It’s more secure, and it’s actually what all of us use these days instead of SSL.
Yes, you read that right, whenever you get a – what you think is – an SSL certificate for your website, you’re actually getting a TLS certificate.
We still refer to it as SSL because it’s a more commonly used and understood term.
What’s HTTPS?
HTTP is a protocol used for communicating over the internet. It’s using this protocol how a website sends you its contents/data and how you can interact with it and send data back.
HTTPS is a secure version of the protocol. That’s what the “S” at the end stands for.
With HTTPS, the communication itself is done pretty similarly with the only difference being that it’s encrypted using an SSL certificate, making it secure.
Types of SSL/TLS certificates
Not all SSL certificates are created equal. Based on what type of certificate you get for your website and how you configure it, your visitors will see different notifications in their browsers.
Most commonly, certificates are grouped based on two things:
- (a) what the validation level of the certificate is
- (b) how many domains can be secured using a single certificate
Under the first group (a), we have:
- certificates validating just the domain name itself – the certificate authority simply validates that the company has control of their domain name
- certificates validating the organization owning the domain – this one validates not only the domain name but also the information included in the certificate about the organization, such as name and address
- certificates offering extended validation – this is the highest level of a certificate where the certificate authority verifies the ownership of the domain, the information about the organization, their physical location, and even legal existence of the company
In order to make your site correctly integrated with SSL, you need to opt for either standard domain validation or organization validation. The third level is usually something only the big players opt for, such as PayPal, Airbnb, etc.
You can see the level of SSL certificate in the browser window.