That little lock icon in your browser url bar is actually quite complicated.
SSL stands for secure sockets layer. The point of SSL is to prevent the tampering of data. Without SSL, everything is sent and received as plain text. If you are familiar with networking and specifically wireless networking, you know that the wireless data coming and going from a router (say in a coffee shop) is broadcast as far as the wireless signal can go, and if someone is sitting in their car with a repeater (signal extender), it can go further.
SSL is also for identification. If you go to http://www.google.com, how do you know that you are actually seeing the website that google is hosting and not someone’s mockup of google. To go back to the coffeeshop scenario, if we did not have SSL, a patron in the coffeeshop could hack the router and tell all traffic bound for http://www.google.com be redirect to his own fake website where he or she could do nefarious activities.
SSL = Identification and encryption.
Every browser, when it comes across an SSL certificate, checks known certificate authorities (the people that can issue certificates) to ensure that the certificate is valid. Browsers these days come with internal lists of these authorities, so they can avoid round trips across the internet to verify the most common certificates.
Three types of certificates.
- Self-Signed certificate – You or anyone can always sign your own certificates. However, since you did the signing, it means that no one else will trust your certificates (nor should they). Best for internal / your personal use.
- Domain only validation – The cheapest and also less secure, since there are minimum checks. Great for encryption, not great for identity validation.
- Organization only validation – More information about your company is verified by the issuer.
- Extended validation – Take longer to issue, but most vetted certificates.
Now there are also;
- Single site certificates – I.e. http://www.google.com has a certificate, but mail.google.com would also need its own certificate.
- Wildcard certificates – I.e. mail.google.com and plus.google.com would fall under a *.google.com wildcard certificate, but google.com would not…
- Subject Alternative Names (SAN) certificates – You can also take a single site certificate and (based on your provider) add additional subdomains to your certificate.
At the end of the day, if you own a domain, your certificate will be unique among all other certificates on the internet. Every https:// website has purchased ($$$) their own certificate which was originally issued by a certificate authority.
Browser and Server
When you browse a website with https, your browser and the server agree on an encryption level. By default, they choose the strongest encryption that is supported by both. With that being said, encryptions are always a moving target and a good reason to upgrade your browser (and server for ops) is to make sure you are able to use the best encryption available to secure your session.
The browser and server encrypt and decrypt messages back and forth using public and private keys. The key (pun unintended) is if you are running a server, you need to properly secure your private server key, because if someone gets a hold of that, they can setup their own server, which will be verified via SSL as being valid. All other certificates on your server are public and necessary for the user’s browser to know how to “talk” with your server in a secure manner.
“You get what you pay for.”
This saying holds true even for SSL certificates. If you buy a cheaper or free cert, it will be less trusted by browsers across the world. If you aren’t spending over $100/yr, you might want to make sure that your cert will work for people say in Australia at an enterprise.
Do research and try to get as close to a root certificate provider as you can. GeoTrust, Verisign, etc.
There is more to know…
The above is merely scratching the service. We didn’t even his CSR, TLS, the NSA, Ciphers, etc. Certificates knowledge is far and wide. The best thing to do is go to a website with https and click on that little lock icon. Look at the certificate and see who issued their certificate and research prices and service levels. Most issuers have pretty decent service and will turn around questions promptly if you ask. After all, when you consider each website is paying $100 – $2,000 a year, it is a decent business for them.