The Hostway Blog

How Does SSL Work?

SSL stands for Secure Socket Layer and is a protocol that allows for secure communication on the Internet. It is built into all the major browsers and servers, so enabling this capability on your site is as simple as installing a digital certificate.

SSL certificates are issued by certificate authorities (CAs), and all browsers contain a list of trusted CAs so that they can verify the validity of a server’s certificate and public ID. Once the Web browser has accepted a site’s certificate, the user can be confident that any information shared with the site is protected.

Basics of SSL

When a visitor tries to access a secure Web page, the visitor’s browser requests the site’s digital certificate to check that the site is real and not being redirected. The server automatically sends the certificate back to the browser, authenticating the site.

Once the browser accepts the certificate as valid, it determines what type of encryption is in use and generates a unique session key to enable encrypted communications with the site. The browser encrypts this session key with the site’s public key, so that only that site can read it. At this point, a secure channel has been established between the site and the browser. All communication will be encrypted, and the browser will display an icon (often a closed lock) indicating the session is secure.

How to Get an SSL Certificate

There are many certificate authorities that can issue SSL certificates or digital IDs. One of the most common, and probably the most trusted, is Verisign. Two others are Thawte and QuickSSL.

In order to obtain an SSL certificate, you must prove you are a legitimate business, with either a Dun & Bradstreet DUNS number, a valid business license, partnership papers or articles of incorporation. You must also own, or be authorized to use, the domain you want to secure.

You will also need to generate a keypair (the server’s private and public keys) and a certificate signing request (CSR) on your server. The CSR will contain a copy of the public key. The CA will need a copy of your CSR, and once your application is approved, will send you your digital ID, which must be installed on your sever. In most cases, your Web host will generate the keypair and CSR for you, as well as install your digital ID.

Creating Secure Links

When linking to secure parts of your site, begin the URL with “https:” (notice the “s” after http). This tells the system to use SSL when opening that page. Visitors without a secure connection will not be able to view the page and will get an error message. If you have links on your secure page out to pages that are not secure, use the regular “http:” in the URL for those links.

If you expect to need SSL on your site, it is a good idea to ask your preferred hosting provider what packages allow it, as well as what costs are involved, before signing up.