Why Do We Use SSL?

Most communication between computers across the Internet is done using the TCP/IP protocols we have been discussing throughout the book. TCP/IP makes it possible for information to get from one computer to its final destination, be it an e-mail message, Web page request, or online chat. TCP/IP moves the data from the source computer to the destination across the networks of intermediary computers that make up the Internet. TCP/IP has gained worldwide acceptance because of its flexibility and simplicity. Any computer can be designed to talk the TCP/IP language and participate on the Internet.

Picture the information moving from your computer to its destination. Maybe you are surfing a Web site or sending an e-mail message. Either way, the information that you are sending is vulnerable to manipulation when it passes through each of the intermediary computers on the way to its destination. TCP/IP by itself does not provide protection of the data or information that it carries. That means that your Web surfing, e-mail, and other Internet communications are open to attack unless they use SSL. Three fundamental security and privacy issues exist within the Internet infrastructure:

• Eavesdropping— Anyone can intercept and read the information you send across the Internet. It doesn't matter if you are sending e-mail, surfing a Web site, or chatting on an instant messenger—these all involve sending data between two computers across the Internet. Someone could secretly learn your credit card or bank account number or listen to your personal and confidential conversations.

• Tampering— Communications across the Internet can be secretly intercepted and modified or changed before they reach their destination. As an example, someone could potentially change an e-mail message you send before it reaches your intended recipient, or even change an order you are placing at an e-commerce site.

• Impersonation— Impersonation has two sides. First, someone can pretend to be you on the Internet. That person might masquerade with your identity by sending e-mail messages appearing to come from you, or by surfing Internet sites with your credentials. Second, a Web site might appear to be a legitimate business, when in fact it is a scam set up to collect personal information or credit card numbers from people.

All three of these issues have long existed on the Internet, and SSL v3.0 provides a set of protocols that address each of them.

We need privacy and security. In an ever-increasing digital world of information sharing, stealing, and exploitation, people need assurance that they can do something to protect themselves. Four critical concepts can be applied to online security and privacy, each of which is provided by SSL:

• Authentication— Authentication of each party (the client and the server) is done before a trusted secure channel is set up.

• Integrity— Integrity of the secure channel is maintained so that any tampering can be detected.

• Confidentiality— Confidentiality of the transactions is achieved by encrypting the data.

• Non-repudiation— This is the ability to prove that the sender actually sent the message.

Remember that you can use SSL for more than just Web surfing, including e-mail and even FTP. SSL applies authentication to digital transactions, be they online shopping or e-mail, to ensure that the parties involved are really whom they say they are. Authentication provides the means to fight back against the threats of impersonation. SSL provides integrity of the digital transactions so that any tampering with them can be detected. If someone were to change a transaction while it was in transit, the receiving party would be alerted through the use of SSL. SSL also provides confidentiality of the transactions through the use of encryption technology that makes the transaction unreadable to anybody but the intended parties. If an eavesdropper attempts to intercept and read the message or transaction, he will see only unreadable gibberish that encryption created. Only the intended parties can decrypt and read the contents of the transaction. SSL provides nonrepudiation when the sender digitally signs a message or transaction. Because only the sender's secret key can be used to sign a message, the message is considered beyond a doubt to have originated from the sender. Additionally, when the message is signed, it is also sealed so that any tampering can be detected. A signed message is proof that the apparent sender actually delivered it.

If you don't fully understand these concepts, keep reading through the next sections to get an example of SSL in action.