SSL Certificates

When you view a website, the communication between you and the end web server pass through many other companies and possibly servers. It is possible for others to watch this traffic and capture anything you type. Therefore, to prevent this, the web server can communicate using Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL).

When you attempt to fetch a webpage from a HTTPS URL, your client and the server use a combination of a public and private key to encrypt and decrypt the data. Both of these are kept on the server and the client will fetch the public key and encrypt any data sent with this. The client encrypts data to be sent and decrypts data received using the public key and the server decrypts data received and encrypts data sent with the private key (which is never disclosed - hence the name).

On the server you effectively generate both, however, even though communications are encrypted, there is no way to be sure you really are talking to the site you think you are. For example, it is possible you could be suffering from arp poisoning or static IP addresses entered into your hosts file or your router. Therefore, the website owner will have the certificate signed by a trusted external company. This is done by generating a Certificate Signing Request and passing this to a company such as Verisign, Thawte or one of the other companies trusted by your browser.

It is worth mentioning that SSL certificates are not just used by web browsers. Other systems also use them to guarantee they are talking to the correct server. A good example is VoIP where exchanging your user login details to a fake server could cost you thousands in phone bills. A common abuse of VoIP is to crack another user and then make multiple phone calls to a high cost Premium rate number until the user's credit runs out.

Link to this page

SSL Certificates

We hope the 'SSL Certificates' tool helps. If you have any suggestions, please contact us