|
How does SSL work in a secure transaction?
Suppose Alice wants to connect to a secure Web site to buy something online: When Alice visits a Web site secured with SSL (typically indicated by a URL that begins with "https:"), her browser sends a "Client Hello" message to the Web server indicating that a secure session (SSL) is requested. The Web server responds by sending Alice it's server certificate (which includes it's public key). Alice's browser will verify that the server's certificate is valid and has been signed by a CA whose certificate is in the browser's database (and who Alice trusts). It will also verify that the CA certificate has not expired. If the certificates are all valid, Alice's browser will generate a one-time, unique "session" key and encrypt it with the server's public key. Her browser will then send the encrypted session key to the server so that they will both have a copy. The server will decrypt the message using its private key and recover the session key. At this point Alice can be assured of two things: the Web site she is communicating with is really the one it claims to be (its identity has been verified), and only Alice's browser and the web server have a copy of the session key. The SSL "handshake" - the process of identifying the two parties that want to establish an SSL connection - is complete and a secure communications "pipe" has been established. Alice's browser and the Web server can now use the session key to send encrypted information back and forth, knowing that their communications are confidential and tamper-proof. The entire process of establishing the SSL connection typically happens transparently to the user and takes only seconds. A key or padlock icon in the lower corner of the browser window identifies the security mode of a browser. When the browser is running in "normal" mode, the key looks broken or the padlock looks open. Once an SSL connection has been established, the key becomes whole, or the padlock becomes closed, indicating that the browser is now in "secure" mode. SSL is supported in the vast majority of browser, which means that almost anyone with a browser can reap the benefits of SSL encryption. SSL is also incorporated into most Web servers on the market. support@mercuryd.com |