How SSL works, and how it works over the browser
Here’s my attempt to piece together all the random chunks of information on SSL and explain it in a manner that a beginner can understand.
To understand how SSL works over the browser, we must first understand how SSL works[1]:
- Client says hello to server
- Server gives client a certificate, aka public key for client to use to encrypt messages
- Client checks that the certificate is legit and then use the public key of the server to send a message to the server.
Notice in step 3, the clients needs to verify that the certificate is legit. For browsers, they will usually rely on a reputable Certificate Authority (CA) such as symantec to establish the legitimacy of the server’s public cert.
How CA Authority works, using Google as an example [2]
A website wants to communicate with you securely. In order to prove its identity and make sure that it is not an attacker, you must have the server’s public key. However, you can hardly store all keys from all websites on earth, the database would be huge and updates would have to run every hour!
The solution to this are Certificate Authorities, or CA for short. When you installed your operating system or browser, a list of trusted CAs probably came with it. This list can be modified at will; you can remove whom you don’t trust, add others, or even make your own CA (though you will be the only one trusting this CA, so it’s not much use for public website). In this CA list, the CA’s public key is also stored.
When Google’s server sends you its certificate, it also mentions it is signed by GeoTrust. If you trust GeoTrust, you can verify (using GeoTrust’s public key) that GeoTrust really did sign the server’s certificate. To sign a certificate yourself, you need the private key, which is only known to GeoTrust. This way an attacker cannot sign a certificate himself and incorrectly claim to beGoogle. When the certificate has been modified by even one bit, the sign will be incorrect and the client will reject it.
How does a SSL Certificate works? [3]
SSL Certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.
To get a certificate, you must create a Certificate Signing Request (CSR) on your server. This process creates a private key and public key on your server. The CSR data file that you send to the SSL Certificate issuer (called a Certificate Authority or CA) contains the public key. The CA uses the CSR data file to create a data structure to match your private key without compromising the key itself. The CA never sees the private key.
Once you receive the SSL Certificate back from the CA, you install it on your server. You also install an intermediate certificate that establishes the credibility of your SSL Certificate by tying it to your CA’s root certificate. The instructions for installing and testing your certificate will be different depending on your server.
When you have installed the SSL cert on your server, your server will automatically inform the client who signs the cert along with the public key that the client is supposed to use to encrypt the message.
[1] Full Details here: How does SSL work? What is an SSL handshake?
[2] Extracted from How does SSL/TLS work?
[3] Extracted from What Is SSL (Secure Sockets Layer)?
