Nowadays, you hear many talks about Internet security, encryption and privacy. Many people tell you to use HTTPS or encryption services, but very few tell you why or actually explain how things work. This is why I've decided to write a series of articles and try to explain some of the most often used security terms, and what better way to start things then with SSL, a protocol that everybody should use, but few actually understand.
What is SSL?
The first thing that one should understand is what exactly SSL is. In very simple terms, SSL/TSL or Secure Socket Layer/Transport Layer Security is an Internet protocol designed to ensure the security of the data that is being exchanged by encrypting it with a unique key. Basically it has three jobs:
- Make sure that the website you're sending data to is actually the one that you were trying to reach. So, if you were Red Riding Hood and you had to visit Grandma's house, but you only had the address and didn't actually know where it was, this protocol would make sure that the Big Bad Wolf won't simply stick Grandma's address label to his house and invite you in for supper.
- Create an encrypted connection between the user and the website in order to protect the data that you're sending. If we use the same analogy, this will practically lock the basket with the goodies so that even if the Big Bad Wolf sees it or takes it, he won't be able to see what's inside or steal it.
- Verify the integrity of data transmission processes. This means that, if during the transport someone takes something from the basket or replaces some of the items, both Red Riding Hood and Granny will be able to know instantly.
Why do I care about this?
In case you're wondering what makes it so important, the answer is simple: this protocol makes it very hard for attackers to see or steal the information that you send on the Internet. Simply put, you should never make an online transaction if the SSL / TSL protocol isn't active on the page where you're providing your financial data. How do you know when SSL is active? There are two clear signs:
- The address of the webpage starts with HTTPS not with a simple HTTP.
- If the protocol is active, most popular browsers will display a locked padlock icon in front of the URL address.
Google, Microsoft, Facebook, banks and online transaction services are all using this protocol and are pushing for as many websites as possible to use it as well, but unfortunately, that's not always the case.
Why isn't everybody using it?
I'm sure you already got how important this protocol is, so by now you must be asking yourself why there are still many websites that don't use SSL/TSL. Unfortunately, even though it's immensely useful, the protocol has two major flaws: it's tricky to set up and can be quite expensive. In order to set up SSL/TSL, you need to authenticate your website by purchasing digital certificates from an organization named Certification Authorities (CAs). There are many types of certificates, and as I already said, they're expensive and eventually expire, which means that you need to periodically buy new ones and set up new protocols, so many don't want or can't afford to go through all this hustle.
How safe is it?
As I said time and time again, there is nothing in this world that's 100% secure. Since the protocol has been originally developed (in part by Netscape) in the 1990s, you can imagine that there have been several vulnerabilities found over the years, but the fact that it still endures says a lot about its effectiveness. Most often, hackers are able to hack the Certificate Authorities and create valid certificates for fraudulent websites, but there have also been attacks capable of stripping away the encryption from the data that's in transit. At one point, security researchers even found a vulnerability named Heartbleed, which was embedded in a free tool called OpenSSL used by many to set up the SSL protocol on websites.
However, despite the number of problems and vulnerabilities, SSL / TSL is still our best solution for online security and privacy. In today's world, the Internet is no longer a mystery, and almost everybody knows how to be a hacker (even if not a good one), so you at least need to get the bare minimum level of protection. In case you want my recommendation, never send financial and personal data or important login information on a website that doesn't use SSL / TSL. A username and password (that you don't use for other accounts) are acceptable, but anything more than that can compromise your security.
In case you're interested in reading more about computer and Internet security, you should check out some of our previous stories such as: "Dangerous root certificates and how to deal with them", "The Tor browser - a novice's guide" or "What is ransomware and how to protect yourself against it".