Everything you need to know about SSL

It used to be that people worried about their personal information on the internet because they didn’t quite understand how it worked. Grandparents wouldn’t purchase plane tickets online because they didn’t want somebody stealing their credit card details, and conspiracy theorists refused to use email because they didn’t want the government stealing their ideas, that sort of thing. And the rest of us rolled our eyes

In recent years, things have changed drastically. A few hundred publicised data breaches and a few million horror stories of personal information being stolen later, and those grandparents and that conspiracy theorist don’t seem so crazy anymore. Now people worry about their personal information on the internet because they do understand how the internet works. Encrypted communications and SSL is more important now than ever. No one is rolling their eyes over online security anymore.

What is SSL?

SSL stands for the secure sockets layer protocol, which is the cryptographic protocol that establishes an encrypted link between a browser and a web server. The name is a little tricky because the protocol currently being used is Transport Layer Security, or TSL, but it’s still largely referred to as SSL, the protocol it replaced.

SSL-Diagram

Source: Incapsula

How does SSL work?

When a browser connects to the average website it does so with a process referred to as the transmission control protocol or TCP handshake. In a TCP handshake the browser sends a connection request to the server which the server accepts, responding with an acknowledgement. The browser receives this acknowledgement and sends its own acknowledgement in return.

SSL takes these interactions between a browser and a web server and encrypts them to ensure that these communications can only be accessed by the intended recipient. It does so by complicating the handshake process, requiring the server and browser to agree on a method of encryption and proceed through the process of mutual verification as well as generate the keys that will be used to encode as well as decode the information exchanged. Should an attacker attempt a man-in-the-middle attack that intercepts any of these communications, all they will get is cryptographic code. Good luck with that.

What is an SSL certificate?

An SSL certificate is essentially what allows you as a website owner to enable SSL on your website. It identifies your website and you install it on your server. Once in place, it is displayed to your website users either by a padlock icon in the browser, or by a green address bar. An SSL certificate indicates to users that their information is secure, and it helps gain their trust in your website.

Who needs SSL?

Consider this: if you don’t use SSL, it is theoretically possible for other people to see every bit of information that is being transmitted to and from your website. If you can respond to that thought with a shrug, you probably don’t need SSL. But if your website deals with anything like credit card numbers, addresses, user names, passwords, or any kind of personal information, you need an SSL certificate.

So…why doesn’t everyone who needs SSL just use SSL?

Good question. After all, if a user doesn’t trust a website and doesn’t see one of those symbols of an SSL certificate, he or she probably isn’t going to be handing over their credit card number for a purchase or signing up for anything when they have limitless opportunities to make that purchase or sign up on other websites. Further, failure to properly secure user information can not only destroy a company’s reputation, it can result in serious lawsuits.

However, there can be a downside to SSL, and that downside comes in the form of slower page load times. According to CDN providers Imperva Incapsula, because of that more complicated handshake process, instead of a page load taking one round trip, it will take about three round trips. People are impatient and page load time is one of the main concerns for internet users, with a one-second delay in page load time causing a 16% drop in user satisfaction.

Overall, security and encryption should be more important to a website owner than page load time. But it isn’t always, and with so much emphasis being placed on site speed, it’s not impossible to understand why.

Is it possible to have the benefits of SSL without a lag in page load time?

In order to have the encryption benefits of SSL without sacrificing the speed of your website, you simply need to invest in a technology that delivers your content to your users as quickly as possible. That technology would be a content delivery network, or CDN.

A CDN is a global network of proxy servers that store your website’s content. Users will be automatically redirected to the server closest to them, cutting down on how far your content has to travel in order for it to be displayed, cutting down on that round trip time. So with SSL and a CDN you’ll have the security of SSL, pages that load as quickly as possible for your users, built-in load balancing thanks to the multi-server environment of the CDN, built-in DDoS protection for the same reason, additional distributed denial-of-service attack protection from leading CDN providers, network optimization, smart management of your multimedia content resources, reduced bandwidth bills, and the search engine ranking improvements that come from having SSL without the search engine ranking hit that can come from slower page load time.

Not bad for a couple of initialisms.

In this day and age, the average internet user knows too much, attackers know too much, and you know too much to allow personal information to be transmitted to and from your website without encryption. Nobody wants to admit the neighborhood conspiracy theorist is right about anything, but he had this one figured out all along.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>