What is SSL

Started by Novel Web Solution, Nov 04, 2022, 10:14 AM

Previous topic - Next topic

Novel Web SolutionTopic starter

By tradition, let's start with a free definition. SSL (Secure Sockets Layer) is a special protocol using which data is transmitted from node to node of the Network in encrypted form. And it works in such a way that only the target recipient can decrypt the data.
And, again, by tradition, a small remark. What the modern Internet works with, in most cases, is TLS, the successor of SSL.\
 But everyone habitually calls it SSL, as the police are still called the militia. In essence, it performs the same functions, but better (I hope).



Why is it needed?
Even at the dawn of the mass spread of the global network, smart people saw its huge potential.
That is, the use of the Internet not only for the dissemination of scientific (public) knowledge, but also as a medium for the exchange of personal information, secret data, etc.
Usually, data transfer from the sender to the recipient occurs through several intermediate nodes. All because it is impossible to physically directly connect every computer to every computer in the world.

A vivid example that you can observe on your own is the movement of data from your computer to some site, for example on google.com (do not consider it advertising, but, apparently, ICMP and UDP on the server dnray.com it is closed, so the trace simply does not reach it, but I want to demonstrate a complete result). You can do this using the tracing utility built into any network OS.

For example, on windows:
What is SSL? IT, Ssl, Hosting, Informative, Long-post
Or on unix:
What is SSL? IT, Ssl, Hosting, Informative, Long-post

So, at each node of this chain, the data that you transmit to a remote node, or the data transmitted to you from a remote node, can be viewed. And surely you would not want this opportunity to exist if we are talking about intiмate correspondence with your soulmate. And there is no need to talk about the secret data of any special service.

For the purpose of hiding such data, a protocol began to be developed that would allow, on the basis of the existing infrastructure, to transfer data from the sender to the recipient in the form of gibberish, which could only be translated on the recipient's side.
So in February 1995, SSL 2.0 was released (its first version remained in beta and was never published).
The last version of the protocol was released in 2008. And at the moment (since January 2016), an update is under development, which is currently available only in the form of drafts.

How does it work?
I'll try a short introductory.
There is a certain scheme by which computers exchange information over the network. For compatibility of data transmission between any systems, the transmission scheme is standardized. And it has the name "OSI Model", It consists of several levels.

The model has a transport layer. Which is responsible for data delivery. At the moment, a network protocol — TCP/IP - has taken a monopoly position at this level. Through which we all go online. This is the underlying protocol that is standard for data transmission in modern computer networks. It also includes about two hundred other protocols, including commonly used application layer protocols such as HTTP, FTP, SMTP, etc.

So, in simple terms, how data encryption works.
If you open a website, the server transmits data via HTTP (application protocol) to our computer. Conditionally, this data transfer looks like this:
What is SSL? IT, Ssl, Hosting, Informative, Long-post
In this case, the data is transmitted "as is", that is, anyone, if possible, will be able to intercept them and see exactly what you are transmitting. Whether it's photos, text data, video stream. Yes, in general, anything.

If the site uses SSL, then the data is put in a special box, mixed, and then transferred to you in this box. So it turns out HTTPS (like http, only better):
What is SSL? IT, Ssl, Hosting, Informative, Long-post
At the same time, if the data transmitted to you is somehow intercepted by someone, this someone will not be able to interpret them in any way, because he will see a hodgepodge of binary data.

In a slightly more complex language: how does it work?
The connection between your computer and the server with the site is made in several stages:
1. Your computer (client) establishes a connection with the server and requests a secure connection.
2. When establishing a connection, the client provides a list of encryption algorithms that he "knows". The server compares the received list with the list of algorithms that the server itself "knows" and selects the most reliable algorithm, after which it tells the client which algorithm to use

3. The server sends its digital certificate signed by the certification authority and the server's public key to the client.

4. The client can contact the server of the trusted certificate authority that signed the server certificate and check whether the server certificate is valid. But it may not be connected. The OS usually already has the root certificates of certification authorities installed, with which the signatures of server certificates are verified.

5. A session key is generated for a secure connection. This is done as follows:

— The client generates a random digital sequence

— The client encrypts it with the server's public key and sends the result to the server

— The server decrypts the received sequence using the private key

Given that the encryption algorithm is asymmetric, only the server can decrypt the sequence. When using asymmetric encryption, two keys are used — private and public. The public message is encrypted, and the private message is decrypted. It is impossible to decrypt a message with only a public key.

This way an encrypted connection is established. The data transmitted over it is encrypted and decrypted until the connection is terminated.
What is SSL? IT, Ssl, Hosting, Informative, Long-post

Why would I need it personally?
Almost all of us use social networks. Email address. Sites with authorization. Online stores where we pay for purchases with plastic cards.

Now imagine that the data that you enter in the form on the site will be transferred from your computer to the server for their subsequent processing in plain text.
 If someone gets access to any of the intermediate data transfer nodes, they will be able to see this data. For example, employees of your Internet provider have access to routers through which data goes from you to the external network and back.
 Accordingly, they can have all your traffic in the palm of their hand. And if we are talking about the login and password from FB, then maybe the loss is small. But if it is, for example, your plastic card number and its CVV code? You can stay without hard earned.

So, data transmission in the Network via encrypted protocols is very important and necessary.
At this point I will make a short pause. Due to the fact that there was quite a lot of information for digestion again, in a couple of days I will write down a separate post about what SSL certificates are, how they differ and where to get them.
  •  

spinneren

For one domain, a certificate from ~$15 per year. Wildcard certificates (with subdomain protection) ~$100, multi-domain ~$50
For example, the simplest one can be taken from the Chinese from WoSign for free for 3 years.
You can ask your hosting provider if they work with Let'sEncrypt. They issue free certificates.
  •  

Harry_99

Hi.
Thanks for the detailed explanation. In my experience, without this SSL-certificate, the site does not work for long. As a rule, its functionality is severely limited by the client browser. Which SSL-certificate to choose is the business of the site, its budget and functionality.
  •  

crtwins21

There is no provision in OSI, it is not written how the cryptographic parameters are negotiated, there is not even the slightest hint of the technicality of the article. Your option of encrypting the secret on the client and transmitting it to the server has long been outdated.
HMAC is not the only option for authenticating messages, there is also cbc-mac, aes-eax for example.

Most of the article is about certificates that are related to TLS, although they have, but do not make up a large part of it. This applies more to the problems of key exchange in an insecure channel.
I advise you to read the article "Analyzing TLS without coming out of a coma" in order to understand at least a little how it works.
  •