SSL was developed to address the problem of achieving secure communications on the inherently unsecure public Internet. It solves 3 separate but related problems all at once:
• Authentication: Assures that parties are who they purport to be
• Confidentiality and Privacy: Assures that communications cannot be read by others
• Integrity: Assures that communications have not been altered in transit
The proper use of cryptographic keys and digital certificates by the communicating parties underpins SSL security. Before a client and server can exchange information protected by SSL, they must securely exchange or agree on an encryption key and a cipher to use when encrypting data.
Public key certificates used during the exchange/ agreement can vary in the size of the public/private encryption keys used, thus determining the robustness of the security provided throughout the session.
A cipher is a mathematical algorithm used to transpose human-readable plaintext into unreadable ciphertext. Countless ciphers have been developed throughout history, primarily for military applications, with many variants currently in use across the Internet today. Many ciphers previously thought to be secure were later exposed as insecure, further fueling the cryptographic arms race.
A key is used to enable the cipher to encode and decode content, for without a key the cipher would produce no useful result. Changing the key produces different results using the same cipher, so that a third-party cannot eavesdrop on a conversation without knowing the key, even if he or she knows the exact cipher being used by the parties. Longer keys result in stronger encryption.
A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity, often the name of a person or an organization, a physical address, and an email address. A certificate verifies that a public key belongs to a specific entity for a given time period.
CERTIFICATE TRUST AND VALIDITY
Beneficial Use Cases SSL enables a wide array of beneficial applications that make the Internet the most valuable communication medium the world has ever known:
• Email—nearly all major providers now use SSL (e.g., Gmail, Yahoo)
• Social media (e.g., Facebook, Twitter, LinkedIn)
• Ecommerce (e.g., Amazon, EBay)
• Online banking, financial services
• Medical records, tax records
• Sensitive information transiting the Internet
• Software validation (digital signatures authenticate publishers of applications)
Perhaps most important of all, SSL is instrumental in gaining acceptance. Nearly everything worth doing on the Internet besides casual news and entertainment browsing is now being secured using SSL. This is precisely why it is so important that SSL be properly understood, deployed, and maintained by enterprise security professionals.