What Is SSL?

Proving identity and securing the exchange of information has been an ongoing goal of the Internet community. Now that the Internet community includes not only people like you and me, but also companies, governments, and criminals, it is more important than ever to have these reassurances. SSL is the Secure Sockets Layer set of protocols. In general, it is a standard way to achieve a good level of security between a Web browser and a Web site. Actually, SSL can protect more than just Web surfing activity, but we will cover that as we go along.

SSL has reached version 3 in its development. SSL version 1 was quickly replaced with version 2 several years ago. When several security problems were discovered with version 2 of SSL, the developers at Netscape created version 3. SSL v3.0 is considered the strongest yet, and it is the focus of this chapter. Today, Netscape is not the only company that is developing SSL-enabled products. Several companies are making SSL their own way; free, open-source versions of the software are available for anybody to use. For all these different SSL-enabled products to work together, they must follow a standard set of guidelines.

SSL is designed to create a secure channel, or tunnel, between a Web browser and the Web server. The secure tunnel is just for you and the Web server, so that any information you exchange is protected within the secure tunnel. The information exchange is protected because it is nearly impossible for anybody else to see or modify the information while it is in transit. Even better, SSL can provide protection for many types of communications, not just Web surfing. In fact, SSL can be used to secure e-mail, file uploads/downloads using File Transfer Protocol (FTP), and even Internet Relay Chat (IRC). SSL is wonderful because of its flexibility in protecting so many types of digital communications.

When you use an SSL connection, you are assured that it is difficult for snoopers or thieves to see the information you exchange. The fact is, it is quite simple for anyone to read the information you are transmitting across the Internet. Unless something special is being done to protect that information, it travels from your computer to its destination in a clear, readable format. The path that information travels across the Internet can be likened to a simple telephone conversation. When you pick up your phone to call someone across the country, your voice is traveling across miles of wires that are connected by central telephone offices that stretch across the country. Your voice passes through each central office, where it is given a signal boost that carries it to the next central office, again and again until your voice reaches the person on the other end of the phone. Computer information travels a similar path across the Internet, moving from router to router until it reaches its destination. Just as a wiretap can be used to listen in on your telephone conversation, similar techniques can be used to listen in on all your computer transmissions.

Client/Server Design
SSL connections require two parties. On one hand is your SSL-enabled Web browser. On the other hand is the SSL-enabled Web site you are visiting. That's it. You are the client, and the Web site is the server. For SSL to work, both parties must support it, and both parties can negotiate the terms of using it.