Secure Sockets Layer Certs

Posted on by user

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

  1. SSL Certificate:
    • An SSL certificate is a digital certificate that authenticates the identity of a website and enables an encrypted connection.
    • These certificates are issued by a Certificate Authority (CA).
    • It contains the website’s public key and the website’s identity along with other related information.
    • When a server presents its SSL certificate to a user’s browser, the browser can verify that the server is legitimate and not a fraudulent site.
  2. SSL CA Bundle:
    • A CA (Certificate Authority) Bundle is a file containing root and intermediate certificates.
    • The root certificate is used to establish the trustworthiness of a CA. Intermediate certificates are used to create a chain of trust from your SSL certificate to the CA’s root certificate.
    • Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store. The SSL CA bundle helps the browser verify that the SSL certificate is issued by a trusted authority.
  3. Private Key:
    • The private key is a key that is kept secret by the website owner.
    • It is used to decrypt the information encrypted by the corresponding public key.
    • The private key is essential for creating an SSL certificate, as it generates the CSR (Certificate Signing Request).
    • It is crucial to keep the private key secure; if it is compromised, the security of the SSL certificate is at risk.

In essence, when a browser connects to a secure site (using HTTPS), the site sends its SSL certificate to the browser to verify its identity. This certificate contains a public key necessary to start the secure session. The browser and the server then use the public key to establish a secure connection and encrypt the data. The private key is used by the website owner to decrypt the encrypted data sent by the browser.

The entire process ensures that sensitive information like personal data, credit card numbers, and login credentials can be transmitted securely over the internet.

SSL Fundamentals

There are 3 essential elements at work in the process described above: a protocol for communications (SSL), credentials for establishing identity (the SSL certificate), and a third party that vouches for the credentials (the certificate authority).

  • Computers use protocols to allow different systems to work together. Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to enable encrypted communications. The browser’s request that the server identify itself is a function of the SSL protocol.
  • Credentials for establishing identity are common to our everyday lives: a driver’s license, a passport, a company badge. An SSL certificate is a type of digital certificate that serves as a credential in the online world. Each SSL certificate uniquely identifies a specific domain (such as thawte.com) and a web server.
  • Our trust of a credential depends on our confidence in the organization that issued it. Certificate authorities have a variety of methods to verify information provided by individuals or organizations. Established certificate authorities, such as Thawte, are well known and trusted by browser vendors. Browsers extend that trust to digital certificates that are verified by the certificate authority.

What Happens Between The Web Browser And Server

  1. A browser attempts to connect to a web site secured with SSL. The browser requests that the web server identify itself.
  2. The server sends the browser a copy of its SSL certificate.
  3. The browser checks whether it trusts the SSL certificate. If so, it sends a message to the server.
  4. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  5. Encrypted data is shared between the browser and the server.

From: https://www.thawte.com/resources/getting-started/how-ssl-works/

Cert Validation

When a web browser connects to a secure website using HTTPS, it performs a series of checks to determine whether it trusts the SSL/TLS certificate presented by the website. This process is crucial for establishing a secure connection and ensuring the authenticity of the website. Here’s how the browser checks the trustworthiness of an SSL certificate:

1. Certificate Validity

  • Expiration Date: The browser checks if the certificate is currently valid and has not expired. SSL certificates have a start and end date, and they are considered untrustworthy if the current date is outside this range.
  • Certificate Authority (CA): The browser verifies that the certificate was issued by a trusted Certificate Authority. Browsers have a pre-installed list of trusted CAs, and they only trust certificates issued by these authorities.

2. Domain Name Verification

  • Matching Domain: The browser checks if the certificate is issued for the domain name that the user is trying to visit. This is to ensure that the certificate presented is actually for the site in question and not for another domain.

3. Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP)

  • Revocation Check: The browser checks if the certificate has been revoked by the issuing CA. This can be done by checking Certificate Revocation Lists (CRL) or using the Online Certificate Status Protocol (OCSP). A revoked certificate indicates that it should no longer be trusted, even if it is otherwise valid.

4. Certificate Chain Validation

  • Chain of Trust: The browser verifies the entire chain of trust. An SSL certificate is typically signed by an intermediate CA, which in turn is signed by a root CA. The browser checks this chain up to a trusted root CA certificate.

5. Signature Verification

  • Digital Signature: The browser checks the digital signature on the certificate to ensure it was indeed issued by the listed CA and has not been tampered with. This involves using the public key of the CA to verify the signature on the certificate.

6. Security Policies and Features

  • Certificate Transparency: Modern browsers also check for Certificate Transparency compliance. This means the certificate must be logged in public Certificate Transparency logs, which helps in detecting misissued or malicious certificates.
  • Extended Validation (EV): For EV certificates, the browser performs additional checks to validate the legal identity of the website owner, providing a higher level of assurance.

7. Additional Checks

  • Algorithm Strength: The browser checks the cryptographic strength of the certificate, ensuring that it uses secure algorithms and key lengths.
  • Hostname Matching: The browser ensures that the hostname in the URL matches the Common Name (CN) or Subject Alternative Name (SAN) in the certificate.

If the SSL certificate passes all these checks, the browser establishes a secure connection to the website. If any check fails, the browser typically displays a warning to the user, indicating that the security of the connection cannot be guaranteed.