On Security: SSL

SSL is one of the main ways that the public makes use of encryption on a daily basis. If the Web address in your browser begins with https rather than http, you're connected to the site through SSL. The current standard for this technology is actually known as TLS, but it's still commonly referred to by the name SSL.

Often when people ask if a website is "secure," they want to know if it accepts SSL connections. And although Web security is a much broader subject, SSL does play a vital role in it. In fact, SSL provides two distinct and important functions: encryption and authentication.

In the last article of the series, we discussed how asymmetric, or public-key, encryption is helpful in securing communications between two parties. Symmetric encryption is fast and strong, but it depends on both parties having agreed to the same secret key ahead of time. This would be difficult for a user who wanted to connect securely to a website with which he had no previous relationship. SSL solves this problem by using asymmetric encryption first, in order to negotiate a symmetric key securely.

It's important to understand what protection SSL does and does not provide.

An encrypted connection to a website prevents eavesdropping. In the past, for an eavesdropper to gain access to network traffic, he would have had to be physically connected to the network, somewhere between the two computers that were communicating. While certainly possible, in most cases this would be about as likely as someone tapping your phone line. Today, however, open WiFi is prevalent. On a wireless network, your computer is broadcasting its data on a radio, in a 360-degree radius, for a considerable distance. If that data isn't encrypted, it's trivial for even a moderately sophisticated attacker to observe it unobtrusively. With strong encryption, the data looks like nothing but random noise to anyone except its intended recipient.

The encryption provided by SSL is only useful, however, in the presence of the other function the protocol offers: authentication. The certificates used to make SSL connections are digitally "signed" by a Certification Authority who verifies the identity of the person requesting the certificate. When making an SSL connection, your browser validates this signature against its list of trusted authorities. Otherwise, an attacker could insert himself into the communications channel. Although your connection would be encrypted, it wouldn't offer any protection if that connection went to a malicious computer. Note that the system does ultimately require trust in the list of certifying authorities, though. Modern browsers ship with a fairly long list of trusted authorities.

On the whole, SSL is a powerful and important technology to keep our communications secure. Its purpose, however, is only to protect data in transit. Web applications are still responsible for keeping that data safe after it's received, and users are responsible for protecting their workstations. SSL won't prevent a virus running on your workstation from logging keystrokes as you type, for example.