What Is SSL?
Proving identity and securing the exchange of information has been an ongoing goal of the Internet community. Now that the Internet community includes not only people like you and me, but also companies, governments, and criminals, it is more important than ever to have these reassurances. SSL is the Secure Sockets Layer set of protocols. In general, it is a standard way to achieve a good level of security between a Web browser and a Web site. Actually, SSL can protect more than just Web surfing activity, but we will cover that as we go along.
SSL has reached version 3 in its development. SSL version 1 was quickly replaced with version 2 several years ago. When several security problems were discovered with version 2 of SSL, the developers at Netscape created version 3. SSL v3.0 is considered the strongest yet, and it is the focus of this chapter. Today, Netscape is not the only company that is developing SSL-enabled products. Several companies are making SSL their own way; free, open-source versions of the software are available for anybody to use. For all these different SSL-enabled products to work together, they must follow a standard set of guidelines.
SSL is designed to create a secure channel, or tunnel, between a Web browser and the Web server. The secure tunnel is just for you and the Web server, so that any information you exchange is protected within the secure tunnel. The information exchange is protected because it is nearly impossible for anybody else to see or modify the information while it is in transit. Even better, SSL can provide protection for many types of communications, not just Web surfing. In fact, SSL can be used to secure e-mail, file uploads/downloads using File Transfer Protocol (FTP), and even Internet Relay Chat (IRC). SSL is wonderful because of its flexibility in protecting so many types of digital communications.
When you use an SSL connection, you are assured that it is difficult for snoopers or thieves to see the information you exchange. The fact is, it is quite simple for anyone to read the information you are transmitting across the Internet. Unless something special is being done to protect that information, it travels from your computer to its destination in a clear, readable format. The path that information travels across the Internet can be likened to a simple telephone conversation. When you pick up your phone to call someone across the country, your voice is traveling across miles of wires that are connected by central telephone offices that stretch across the country. Your voice passes through each central office, where it is given a signal boost that carries it to the next central office, again and again until your voice reaches the person on the other end of the phone. Computer information travels a similar path across the Internet, moving from router to router until it reaches its destination. Just as a wiretap can be used to listen in on your telephone conversation, similar techniques can be used to listen in on all your computer transmissions.
Client/Server Design
SSL connections require two parties. On one hand is your SSL-enabled Web browser. On the other hand is the SSL-enabled Web site you are visiting. That's it. You are the client, and the Web site is the server. For SSL to work, both parties must support it, and both parties can negotiate the terms of using it.
Public Key and Symmetric Key Cryptography
Encryption is discussed more in Chapter 12, “Securing Your Standalone PC: Viruses, Chat, and Encryption,” so it will be only lightly covered in this chapter. SSL uses both public key and symmetric key cryptography. Public key cryptography is when encryption is based on two different keys. In the example of an SSL-enabled Web site, the server has a public key that is widely distributed to anybody who wants to encrypt communications with the Web server. The server also has a private key, which it can use to decrypt those communications. If a server or Web site wants to set up an SSL connection, it gives you its public encryption key. You then use the server's public key to encrypt data for the server, but you cannot decrypt the data. Only the server can decrypt the data with its private key.
Public key cryptography is only used to exchange symmetric encryption keys that will be used for the majority of the SSL session. They are called symmetric encryption keys because each party uses the same key to encrypt and decrypt data. It's comparable to several people in your family sharing copies of the same house key for locking and unlocking the front door. The main problem with symmetric keys is that they must be exchanged securely—after all, you don't want somebody eavesdropping on your key exchange to get his own copy of the key. To solve this, SSL uses public key cryptography to securely exchange the symmetric keys. Consider the following example:
1. |
Bob connects to his favorite Web site using https:// to signify an SSL connection. |
2. |
The Web site gives Bob its digital certificate and public key. |
3. |
Bob's Web browser generates a symmetric key and sends it to the Web site encrypted with the Web site's public key. |
4. |
The Web site decrypts the symmetric key with its private key and starts using the symmetric key for the rest of the SSL session. |
These four steps provide a broad outline, intended to describe only how public key cryptography is used to exchange the symmetric keys. It is extremely important that the public keys are also securely exchanged. If they are not securely exchanged, man-in-the-middle attacks are likely. In this case, an attacker could intercept the public key in transit from the Web site to the Web browser and modify it to the attacker's liking. The Web browser would receive the modified public key and, not knowing the difference, would use it to encrypt the transmission of the secret key. The attacker then would intercept the transmission of the secret key and be able to easily decode it, after which the attacker could decode the rest of the SSL session. The designers of SSL have thought of these and other tricks and have taken steps to ensure that the public keys are securely exchanged.
Server-Side Digital Certificates
When visiting an SSL-enabled Web site, you are typically using the server's digital certificate to establish the SSL session. That is, the server's certificate is the trusted source for authentication of the server's identity and public keys that are used for encryption. It is less often the case that a client-side certificate is used. A client-side certificate is one that you possess and that your Web browser uses in the SSL connection. When both client- and server-side certificates are used, both sides have complete trust and both parties know each other's identities.
Although we are focusing on SSL's use for Web surfing, SSL can actually be used in many more places. It's true that SSL has been optimized to work over HTTP, the protocol of the World Wide Web. However, it also can be used with nearly any other protocol that operates above the TCP/IP layer. In other words, SSL can be used to secure the authentication and delivery of e-mail using the POP3 and SMTP protocols (see Chapter 8, “E-mail Security”). When combined with SSL, these e-mail protocols can be referred to in short as POP3/SSL and SMTP/SSL. As discussed in Chapter 8, the POP3 and SMTP e-mail protocols by themselves generally are not secure. Although they can provide for authentication using a username and password, those credentials are sent over the network in clear text. If you use a cable modem, anyone else on your block can read your credentials and even your e-mail messages. However, if you add the security of SSL to these protocols, your authentication credentials can be protected as well as your e-mail messages. Public key cryptography and encryption keep your e-mail account and messages safe from prying eyes.