How does ssl work?

Simplified SSL – About Secure Sockets Layer and HTTPS


Processing transactions securely on the web means that we need to be able to transmit information between the web site and the customer in a manner that makes it difficult for other people to intercept and read. SSL, or Secure Sockets Layer, takes care of this for us and it works through a combination of programs and encryption/decryption routines that exist on the web hosting computer and in browser programs (like Netscape and Internet Explorer) used by the internet public.
See the left side panel for information on how shared secure certificates work.

SSL Overview from the Customer’s Browser viewpoint

  1. Browser checks the certificate to make sure that the site you are connecting to is the real site and not someone intercepting.
  2. Determine encryption types that the browser and web site server can both use to understand each other.
  3. Browser and Server send each other unique codes to use when scrambling (or encrypting) the information that will be sent.
  4. The browser and Server start talking using the encryption, the web browser shows the encrypting icon, and web pages are processed secured.
Detailed SSL/HTTPS:
See our detailed step-by-step SSL walk-through including diagrams and sidebars on items like cyphers and man-in-the-middle attacks.

Click here for our detailed SSL/HTTPS walk through >>

 

About IP addresses and SSL: Though your SSL certificate is bound to your  fully qualified domain name (encrypted into the certificate request and registerd when you purchase your certificate) web servers link the certificate to the IP address. The result is that if you attempt to have more than one SSL certificate associated with the same IP address (in the case of virtual hosting) you may get undesired results.

Typically the certificate that will be used for the IP address, no matter which domain you attempt to access, will be the first one in the web server’s configuration file. This is important to note for the web site owner because many of the budget and free web hosting services do not give you your own IP address.

Getting a unique IP address for an SSL certificate is usually the main factor in extra pricing for secure hosting on the budget web hosts and can often increase your pricing past that of a full service host. Even with full service web hosts if you need separate certificates for multiple domains you will often need to open individual accounts for each so that they have their own IP addresses. On the other hand, since the certificate itself is not linked to the IP address you can usually move the certificate from one web host to another (as long as you have a unique IP address at the new host).

Our Detailed How does SSL work pages include additional IP address notes in the sidebars.


What does the typical merchant need to know about how SSL works?

Though it is good to answer the “How does SSL work?” question (see the steps on the following pages) the typical merchant really needs to only be concerned with how to get a secure certificate and making sure that he/she is using a valid and current ssl certificate (step 2.03) and what URL to use when creating secure links. SSL certificates are purchased from various certificate vendors and it requires a CSR (Certificate Signing Request) to be generated on the web server. This usually involves getting in touch with the hosting company and asking them to generate the CSR for you. After your receive the CSR (which looks like an encrypted block of undecipherable text) you can order your certificate from the SSL certificate provider. Once you receive the SSL certifcate back from the certificate authority, you will normally need the hosting company to install it for you.

You also need to be sure that your hosting account will allow an SSL certificate. The primary factor is a unique IP address (as stated above). If not documented on your web host’s web site, it is a good idea to contact them directly. You want to know a) whether or not your account can handle its own certificate and b) what additional costs are involved.

After the web host installs the new certificate on the web server the merchant/designer will need to be sure that the desired secure pages are called using “https://” in their links. All components on the page should either use a relative path (without https or http) or “https://” in order to avoid browser messages saying that some items are not secure. Addressing additional page items (such as images) using a relative path will default to the same protocol used when the page was displayed.

Some web hosting companies have “shared” SSL certificates that you can use under their domain name. This eliminates the need for you to get your own. As an example, if OurShop.com were a web hosting company and xyz.com had an account there, they could use the shared certificate with a URL something like “https://xyz.ourshop.com”. A merchant that prefers to have their secure processing under their own domain name will need to get their own SSL certificate.

Click Here for our How does shared ssl work? page.