How SSL Works — A Beginner’s Guide

Nowadays, companies and organizations rely mostly on online services. Individuals as well do a lot of work online including financial transactions. Since money go here and there over the internet, security is essential. You must always transact on secure and legitimate sites. So, how do you know if a site is legitimate or secure? Thus, companies use SSL certificates to keep customer information private and secure online transactions.

What is an SSL certificate?

Secure Sockets Layer (abbreviated as SSL) is a cryptographic protocol that provides security for communication. In 1999, it was preceded by TLS ( Transport Layer Security). Yet, many people still use SSL.

SSL creates a secure channel between two machines when making a transaction. It is a transparent protocol where you can see a padlock in the address bar.

It supports a few security principles

  • Encryption where it protects data transmissions. For example, browser to browser or application to the server.
  • It enhances authentication where the server connected to is the actual server.
  • Whatever data is requested or submitted is what is actually delivered enhancing data integrity.

In simple terms, when you go to a secure website this certificate provides identification information stating it is the authentic website. Thus, it establishes an encrypted connection. This process is very rapid and happens within a fraction of a second. Let’s look into this more deeply.

SSL works on two basic and fundamental aspects:

  • Asymmetric Cryptography
  • Symmetric Cryptography

Asymmetric cryptography

This is public-key cryptography. This uses a separate key for encryption and decryption. In this instance, anyone can use the encryption key which is the public key. Using this, they can encrypt a message. However, the decryption key which is the private key is secret.

Thus only the intended receiver can decrypt the message and not anyone else. These asymmetric keys use either 1024 or 2048 bits but 1024 is no longer safe to use. The 2048 bit keys have an encryption which is quite unique. RSA and DSA are common algorithms it uses.

Take a look at the image below:

Symmetric cryptography

This is pre-shared encryption. In this instance, there is only one key that shares both the encryption and decryption. So, both the sender and the user should use the same key for encryption and decryption for communication. These keys are usually 28 or 256 bits. If the key is larger in size, it is harder to crack. Thus, it is difficult to break a 128 bit key by brute force attacks since there are so many possibilities. The most commonly used algorithms are AES-192 and AES-256.

Take a look at the image below:

When it comes to communication using SSL, it has two parts:

  • SSL handshake
  • Actual data transfer

SSL Handshake

The SSL handshake has the main goal. This is to provide privacy and data integrity between a server and a client for communication. Over here, the server and client will exchange important information to establish a connection. This could be either one-way or two-way. In one-way, only the server authenticates. In two-way or mutual SSL, both server and client authenticate.

Look at the following steps:

Client hello

The client sends information to start an HTTPS connection. It will look for a cipher suite that supports. If they do not find anything that supports, it will send a failure alert and close the connection.

Server hello

The server will respond with configuration to proceed with the handshake. The server will also send the cipher suite to the client. Apart from that, the server will also send the certificate of the server with the certificate chain.

Server key exchange message

This has details the client needs to create the per-master secret. Over here, the pre-master key is encrypted using a public key and decrypted with the private key. Or else, both are done with one key using symmetric cryptography.

Certificate request

Over here, if it is a one-way SSL, the authenticity of the client is not verified. One-way SSL handshake ignores this step. The server will send the certificate request. Then the server sends the ‘server hello done’ and waits for the client’s response.

Client certificate

The client gives the certificate chain to the server. It then negotiates the cipher suite’s key exchange algorithm.

Client key exchange message

The message is then sent to the client after the client’s certificate. However, if it is a one way SSL which does not present a certificate, then this exchange message is sent after the ‘server hello done’ message.

After the handshake, both the client and the server has a valid session key. It uses this to encrypt or decrypt actual data.

Actual data transfer

The transferring of actual data is done by a shared session key which is symmetric cryptography. Many use this method because it is easy and takes less CUP consumption, unlike asymmetric cryptography.

Types of SSL certificates

Extended Validation (EV) Certificates

This is known as EV SSL in short which many users prefer to use. The owner of the website has to pass through a globally standardized verification process. This is done to confirm its legal and physical existence. Furthermore, to also prove it has authorized the issuance of the certificate. It verifies the domain and also cross-checks with the physical location. This is one of the most comprehensive verification checking certificates. EV certificates show a green bar on the browser.

Organization Validated (OV) Certificates

In this type, after validating the domain, it validates the organization as well. These certificates usually confirm the existence of the organization. This will confirm the legal and physical existence of the company. You will usually see a lock in the address bar. This ensures to protect the site from hackers.

Domain Validated (DV) Certificates

This is the most basic level of SSL validation and can ensure secure data encryption. But it cannot ensure that the owner of the site is a legitimate business holder. You will see a locked padlock in the address bar. However, you won’t see any details of the organization. There is no person, place or entity to prove which you mean you can get a validation anonymously as well. Thus, this type is usually what hackers use for fraudulent activity.

Thus, this article covers the basics of how SSL certificates work. Therefore, the importance of having SSL validation is necessary to make sure you are in a legitimate place on the internet. Having an SSL certificate protects data and also improves customer trust. SSL protects sensitive information as it travels from the client to the server and can keep cybercriminals and hackers at bay.

Originally published at on November 11, 2019.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shanika Wickramasinghe

Senior Software Engineer and Freelance Technical Writer. I write about any Computer Science related topic.