SSL

What is SSL Definition?

Let’s imagine an ordinary conversation in a crowded cafe. You lean over to a friend, cover your mouth with your hand, and say, “I’m going to tell you this now… just to no one!”—that’s the logic of SSL.

SSL (Secure Sockets Layer) is a way of communicating on the Internet when no one but you and the recipient can eavesdrop on what exactly you are discussing. It doesn’t matter if it’s a password, a card number, or just a like for a cat. The bottom line is that you are “whispering” in a crowd, but no one around you hears anything.

It is important to understand that SSL is not a single application or button. This is part of the “engine” of the site, which makes your communication private. As soon as you enter a website with a lock in the address bar (and an address starting with https://), it means that you have entered a secure space. There’s a lot of technical magic going on behind the scenes, but from the outside it looks like an ordinary page, just a little safer.

A Bit Of History: How SSL Appeared

The Internet in the 90s was like the Wild West. The pages loaded slowly, the modems beeped, and no one thought about security. The sites transmitted information in an open format, as if each visitor shouted his data into a megaphone in the city square.

And then Netscape, one of the pioneers of the browser era, came on the scene. They were the ones who came up with SSL 1.0 in 1994. No one, by the way, ever saw it live — the version was internal, experimental, and quickly retired. SSL 2.0 and SSL 3.0 followed. They have already become widespread, but they turned out to be not so reliable: vulnerabilities were found in them, like holes in a colander.

As a result, the world said, “We need something stronger,” and TLS (Transport Layer Security) appeared. This is, in fact, a continuation of SSL, only with a different name. But the name never caught on: people still say “SSL”, even if TLS has been running under the hood for a long time. It’s just a force of habit.

How SSL Works — On Your Fingers

In childhood, many people played spies. One person writes a message, squeezes a piece of paper, hides it in his fist and passes it to a friend.: “Just read it!” That’s about how SSL works — only instead of a piece of paper, we have electronic keys.

When you open the website, the browser says to the server: “Hello! Let’s talk, but don’t let anyone hear.” The server replied, “Okay, here’s my digital badge—make sure I’m who I say I am.” Then they agree on special keys — it’s like a password, but temporary, only for this session.

The key is transmitted in encrypted form. The browser and the server agree: “Now, no matter what we say, we will encode everything with this key.” From now on, every byte of information is like an encoded letter. Only the addressee can read it.

And all this in a second, before you even had time to figure out what was going on.

SSL ID Certificate Without Panic

Why trust any website on the Internet? Here he says: “I am a bank,” but in fact this is a fraudster’s website. To prevent this from happening, there is an SSL certificate, a digital document that confirms: “Yes, this site is indeed who it claims to be.”

If we continue the analogy with the cafe, then the certificate is a badge with a photo and a security seal. You look at him and say, “Okay, you seem to be from your own company.”

This certificate is issued by certification authorities, the so—called CA (Certificate Authorities). Their trust is built right into the browser. When you visit the website, the browser looks: “Yeah, this certificate is signed by a reputable organization. So you can trust me.”

The certificate contains:

• the name of the website,
• expiration date,
• information about the owner,
• and the digital signature of the same CA.

So this is not just a piece of paper, but a proof of identity in the digital world. There will be no secure connection without it. Or it will, but with big questions.

Visual Markers Of SSL: Lock, HTTPS And The Rest

The browser is not a magician, but it gives some signs. How do I find out if SSL is working? It’s very simple: look for the lock in the address bar.

If all is well:

• there will be a lock (usually gray or green),
• the address will start with https://.

Previously, the green lock was considered the highest degree of trust. Especially if complete legal information about the owner was added to it. Now everything has changed a bit — many browsers have begun to “mute” the green color in order not to give a false sense of complete security.

And it happens like this:

• the lock is crossed out, which means that there is SSL, but there are also problems (for example, the site uploads images without protection);
• there is no lock at all — the connection is not secured.

It is important to understand that SSL is not a 100% guarantee of website integrity. This is just a sign that the connection between you and the site is encrypted. But what the site itself does is another matter.

SSL In Different Scenarios: From Online Stores To API

SSL is not just about “Buy” buttons and payment forms. In fact, it works much more broadly — almost wherever it is necessary for the data to go “under cover”. A simple example is the website of an online store. You log in, put something in the trash, enter an address, a card… all this goes through a secure connection. But not just the shopping cart. Even when you just log on to the website and enter an e-mail for subscription, SSL is already working.

And now a step further. Email. If you use modern mail services (Gmail, Outlook), then your connection to the mail server is encrypted. This means that someone who is on the same Wi-Fi with you in a coffee shop will not be able to intercept an email on the fly.

One more step. Cloud platforms and APIs. Programs “communicate” with each other — not with words, but with requests. And these requests must also be encrypted. If the service provides sensitive data to the client (for example, via the REST API), then all this goes over HTTPS. The user may not see what’s going on, but SSL is running in the background as an invisible security guard.

And also: the internal pages of websites, admin pages, developer interfaces — all this also requires SSL. Even if no one except one administrator goes there.

Threats And Weaknesses Of SSL: Why Everything Is Not So Perfect

It would seem that everything is secure, encrypted, and everything is fine. But, as with any technology, SSL has weaknesses. Especially in its previous versions. For example, SSL 2.0 and 3.0 have long been recognized as insecure. Yes, technically they “worked”, but the cryptography there was weak, and they were banned from use long ago.

Then there were attacks. In 2014, the whole world started talking about Heartbleed, a vulnerability in the OpenSSL library that allowed random (and sometimes not very random) pieces of data to be pulled from the server’s memory. People could get logins, passwords, keys… and all this through a hole in the heart of the system.

The BEAST attack allowed decryption of encrypted cookies. PUDDLE (Padding Oracle On Downgraded Legacy Encryption) worked when the browser and server “rolled over” to the old encryption methods, and the attacker used it.

It was such attacks that forced the Internet industry to switch from SSL to the more modern TLS. Because, after all, encryption is a delicate thing: if you make a mistake in one line of code, the whole lock turns into a leaky gate.

What Is TLS And Why Is It Like SSL, But No Longer It

SSL is officially dead. Its latest version, SSL 3.0, was released in 1996. Even then, it was far from ideal, and therefore in 1999 it was replaced by TLS – Transport Layer Security. But habit is a terrible force. Everyone still says “SSL certificate”, although in fact it has been a TLS certificate for a long time.

What is the difference between TLS? The main thing is improved cryptography. TLS is better protected from attacks, supports more modern algorithms, works faster and is more reliable in terms of compatibility. Today, most websites use TLS 1.2 or TLS 1.3. But TLS 1.0 and 1.1 are also considered obsolete.

And here’s the paradox: you go to a website, you see HTTPS, and you think, “Oh, SSL.” But in fact, this is no longer SSL, but TLS. It’s just that “SSL” has taken root as a popular name. As with a vacuum cleaner, everyone says “vacuum cleaner”, although there is a cyclonic turbine and a HEPA filter inside.

Validity, Revocation And Renewal Of Certificates

So they gave the site a certificate — and what’s next? And then the cycle begins. Certificates don’t last forever. Usually – 90 days or 1 year. Then they need to be extended. Why is that? Because if something suddenly happens (hacking, key leakage, domain change), the certificate must “die” so that attackers cannot use it as a “fake badge”.

If there is a problem, the certificate can be revoked. There are two ways: CRL (a list of revoked certificates) and OCSP (a protocol that checks the status of a certificate authority in real time). When you visit the site, your browser may ask, “Is this certificate still alive?” and get an answer.

And if the certificate is expired, then you will see a terrible warning in the browser.: “The connection is not secure.” The site may work, but the user no longer trusts it. It’s like a business card without a date: it looks like yours, but it’s not clear if it’s relevant.

Therefore, it is important that the certificates are updated on time. Many administrators automate this process — through Let’s Encrypt, for example. Otherwise, you can be left without the trust of users in one click.