SSL


What is SSL?

SSL Example


 SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted.
An SSL certificate is necessary to create SSL connection. You would need to give all details about the identity of your website and your company when you choose to activate SSL on your web server. there are two cryptographic keys are created-
1.Private Key
2.Public Key

The next step is the submission of the CSR (Certificate Signing Request), which is a data file that contains your details as well as your Public Key. The CA (Certification Authority) would then validate your details. Following successful authentication of all details, you will be issued SSL certificate. The newly-issued SSL would be matched to your Private Key. From this point onwards, an encrypted link is established by your web server between your website and the customer's web browser.
The presence of an SSL protocol and an encrypted session is indicated by the presence of the lock icon in the address bar. A click on the lock icon displays to a user/customer details about your SSL. It's to be remembered that SSL Certificates are issued to either companies or legally accountable individuals only after proper authentication.
An SSL Certificate comprises of your domain name, the name of your company and other things like your address, your city, your state and your country. It would also show the expiration date of the SSL plus details of the issuing CA. Whenever a browser initiates a connection with a SSL secured website, it will first retrieve the site's SSL Certificate to check if it's still valid. It's also verified that the CA is one that the browser trusts, and also that the certificate is being used by the website for which it has been issued. If any of these checks fail, a warning will be displayed to the user, indicating that the website is not secured by a valid SSL certificate.
*Note: Secure Sockets Layer (SSL) is a computer networking protocol for securing connections between network application clients and servers over an insecure network, such as the internet. Due to numerous protocol and implementation flaws and vulnerabilities, SSL was deprecated for use on the internet by the Internet Engineering Task Force (IETF) in 2015 and has been replaced by the Transport Layer Security (TLS) protocol. While TLS and SSL are not interoperable, TLS is backwards-compatible with SSL 3.0.

What is SSL/TLS Certificate?
SSL or TLS (Transport Layer Security) certificates are data files that bind a cryptographic key to the details of an organization. When SSL/TLS certificate is installed on a web server, it enables a secure connection between the web server and the browser that connects to it. The website's URL is prefixed with "https" instead of "http" and a padlock is shown on the address bar. If the website uses an extended validation (EV) certificate, then the browser may also show a green address bar.

What is SSL used for and why do I need SSL certificate?
The SSL protocol is used by millions of online business to protect their customers, ensuring their online transactions remain confidential. A web page should use encryption when it expects users to submit confidential data, including personal information, passwords, or credit card details. All web browsers have the ability to interact with secured sites so long as the site's certificate is issued by a trusted CA.
The internet has spawned new global business opportunities for enterprises conducting online commerce. However, that growth has also attracted fraudsters and cyber criminals who are ready to exploit any opportunity to steal consumer bank account numbers and card details. Any moderately skilled hacker can easily intercept and read the traffic unless the connection between a client (e.g. internet browser) and a web server is encrypted.


How Does SSL Work?


The following Diagram explains how SSL Certificate works on a website. 
SSL_connectivity


The process of how an 'SSL handshake' takes place is explained below:

            1. An end-user asks their browser to make a secure connection to a website (e.g. https://www.digicert.com/)
            2. The browser obtains the IP address of the site from a DNS  server then requests a secure connection to the website.
            3. To initiate this secure connection, the browser requests that the server identifies itself by sending a copy of its SSL certificate to the browser.
           4. The browser checks the certificate to ensure: 
            i) That it is signed by a trusted CA
           ii) That it is valid and has not expired or been revoked
          iii) That it confirms to required security standards on key lengths and other items.
          iv) That the domain listed on the certificate matches the domain that was requested by the user.

           5. When the browser confirms that the website can be trusted, it creates a symmetric session key which it encrypts with the public key (Server's Public key which is available in certificate of Server) in the website's certificate. And the session key is then sent to the web server.
           6. The web server uses its private key to decrypt the symmetric session key.
           7. The server sends back an acknowledgement that is encrypted with the session key.
           8. From now on, all data transmitted between the server and the browser is encrypted and secure.

One More Example:

There are many ways to go about creating an SSL connection between servers, and the best one for your situation will depend upon the type of protocol you're planning to tunnel through it. As you probably know, the Secure Sockets Layer (SSL) allows the use of encryption to protect data sent via a TCP/IP connection. The most commonly used implementation of SSL is the HTTPS protocol: a secure encrypted alternative to HTTP for transferring information over the Web.
Server certificates typically are issued to hostNames, which could be a machine name (such as ‘XYZ-SERVER-01’) or domain name (such as ‘www.symantec.com’). A web browser reaching the server and validates that an SSL server certificate is authentic. That tells the user that their interaction with the web site has no eavesdroppers and that the web site is exactly who it claims to be. This security is critical for electronic commerce, which is why certificates are now in such widespread use.
Verbose diagram



Process of 'SSL handshake'(brief):

1.  Client Hello
Information that the server needs to communicate with the client using SSL. This includes the SSL version number, cipher settings, session-specific data.
2.  Server Hello
Information that the server needs to communicate with the client using SSL. This includes the SSL version number, cipher settings, session-specific data.
3. Authentication and Pre-Master Secret:
 Client authenticates the server certificate. (e.g. Common Name / Date / Issuer) Client (depending on the cipher) creates the pre-master secret for the session, encrypts with the server's public key and sends the encrypted pre-master secret to the server.
4.  Decryption and Master Secret
Server uses its private key to decrypt the pre-master secret. Both Server and Client perform steps to generate the master secret with the agreed cipher.
5.  Encryption with Session Key
Both client and server exchange messages to inform that future messages will be encrypted.

 For more information click on below link blog:
 "Understanding_SSL"

Comments

Post a Comment

Popular posts from this blog

Session Management Part-1

Image
WebSphere Application Server Session Management Session support allows a Web application developer to maintain state information across multiple user visits to the application.  We will cover below points 1. HTTP session management 2. Session manager configuration 3. Session identifiers 4. Local sessions 5. General properties for session management 6. Session affinity 7. Persistent session management 1.HTTP session management: When an HTTP client interacts with a servlet, the state information associated with a series of client requests is represented as an HTTP session and identified by a session ID. Session management is responsible for managing HTTP sessions, providing storage for session data, allocating session IDs, and tracking the session ID associated with each client request through the use of cookies or URL rewriting techniques. 2.Session manager configuration: Session management in WebSphere Application Server can be defined at the follow
Read more

Understanding SSL

Image
Understanding SSL: There are many ways to go about creating an SSL connection between servers,  and the best one for your situation will depend upon the type of protocol you're planning to tunnel through it. As you probably know, the Secure Sockets Layer (SSL) allows the use of encryption to protect data sent via a TCP/IP connection. The most commonly used implementation of SSL is the HTTPS protocol: a secure encrypted alternative to HTTP for transferring information over the Web. Secure Sockets Layer ( SSL ) is a computer networking protocol for securing connections between network application clients and servers over an insecure network, such as the internet. Due to numerous protocol and implementation flaws and vulnerabilities, SSL was deprecated for use on the internet by the Internet Engineering Task Force ( IETF ) in 2015 and has been replaced by the Transport Layer Security ( TLS ) protocol. While TLS and SSL are not interoperable, TLS is backwards-compatible with
Read more

WebSphere Application Server

Image
What is WebSphere Application Server  ? WebSphere is a set of Java-based tools from IBM that allows customers to create and manage sophisticated business Web sites. The central WebSphere tool is the WebSphere Application Server (WAS), an application server that a customer can use to connect Web site users with Java applications or servlets. IBM released WebSphere Application Server 8.5 in June 2012 and 8.5.5 in June 2013 A pplication Server provides the infrastructure to host enterprise application. It handles application operation between user request to backend business application like a database, messaging, etc. Enterprise application, which is usually transactional based or heavily used, must have an application server with built-in redundancy, high availability, and performance oriented like WebSphere Application Server. Application Server usually sits between Web Server and Database or another backend like messaging, etc. Below is the typic
Read more