The Secure Sockets Layer (SSL) is what you are using when you use https instead of http for a web page. This is also referred to as TLS (Transport Layer Security) and you'll sometimes see newsgroups posts from people wondering what the difference is. Simply, TLS is the official name for the SSL standard.
What it's all about is secure transmission of data using public key authentication. There are two parts to SSL: verifying that you are talking to the server you want to be talking to, and then encrypting data sent between the two of you. The verification part is handled by the server having generated a certificate, which is actually just a public key that has been "signed" (which is encryption with a private key - see /Basics/gpg.html ).
The verification phrase is the weakest part of SSL, for several reasons. First, almost always the server's key pairs have a blank passphrase, because otherwise you'd need to provide the passphrase every time the web server was restarted, which would be inconvenient and difficult for scripts. This makes the keys easier to steal in the even of some other server compromise. But more important is that in common usage, people pay very little attention to the security that this verification phase does offer, and will happily accept and ignore any error that might be trying to warn you that you may not in fact be talking to the server you think you are.
For example, I just set up a web server at a hosting site. The provider pre-configures the machine, initializing everything to default values, and puts an "Under Construction" page in the httpdocs directory. If I replace that with my content, I can access the site by IP or point a domain I own at it. If I then access that site with https instead of http, I'll get a warning from my browser saying something like:
You have attempted to establish a connection with "xyz.com". However, the security certificate presented belongs to "plesk". It is possible, though unlikely, that someone may be trying to intercept your communication with this web site.
Unfortunately, it's the "unlikely" part that introduces the problem. Most people are just going to click the button that says "OK" or "Accept this certificate" and continue. If they really are talking to "xyz.com", that's fine. But if they are a victim of DNS poisoning, they may be connected to someone else entirely. Or it may be as simple as a typo: they thought they typed "paypal.com" but fat-fingered "payoal.co" instead. Or they were foolish enough to click on an email link that said it was going to Paypal or EBay or whatever.
You can use the "openssl" command to get all the gory details about site certificates. For example, you might do this:
# openssl s_client -host www.somewhere.com -port 443 CONNECTED(00000003) depth=0 /C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddressfirstname.lastname@example.org verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddressemail@example.com verify return:1 --- Certificate chain 0 s:/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddressfirstname.lastname@example.org i:/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddressemail@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIEfDCCA2SgAwIBAgIEQZyU8DANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMC 5y2CaL0gLHjB3DQE+ZHb9J/cp7yQZRM9yMRyYZ36ZFdg8UTB48BIbETxqwoxy55v qzxw01fm6Vdf9XK+rXVuSyp41LvDfNSlMC3SXmx7rEYVNsrANUELK1s8QUBR/oe5 12p1gasB6fIPUulusdsz5wXwIAhvvgbTV5rfWfZbx7UgQIgznFWPElqNjxmV9r75 lwV+KXyuEngyMunw9tZhfRn/woRUB/7cNsUOhMss1SOhTtKwjia2iikmovQ+3SLd (many lines deleted) -----END CERTIFICATE----- subject=/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddressfirstname.lastname@example.org issuer=/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddressemail@example.com --- No client certificate CA names sent --- SSL handshake has read 1844 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 95B24DCEEE9BC8FBF7C646C5DBB3B9B9916AD9A8E68B5E07B0113EDB08EB71B6 Session-ID-ctx: Master-Key: 070945EA7C92B7DCB4B71DA8BD90F0DCB6327802BE6E4F9CF877C7697D6EF006848869F18D63206D03088EF413AF3290 Key-Arg : None Krb5 Principal: None Start Time: 1114087832 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
The openssl command is also what you'd use to generate keys and certificates.
After that, SSL negotiates encryption between the machines and transmits data securely from that point on.
Although openssl is probably the best known and most common implementation, there is also GNUTLS.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2012-07-20 Tony Lawrence
Today the theory of evolution is about as much open to doubt as the theory that the earth goes round the sun. (Richard Dawkins)