beanz Magazine

What is an SSL Certificate?

Scott Schill on Flickr

How to tell if a web page is secure is one of the most basic yet least obvious ways to protect your data online.

A few months ago, the New York Times ran an article titled Data Security is a Classroom Worry, Too (linked below this article). The quick summary? An online education vendor did not encrypt all the pages of their application. Encrypting website data is so easy to do, and built in to most or all legitimate web hosting services, I was stunned. Presumably the vendor had good reasons. And presumably they’ve fixed the issue.

This article is a basic primer to follow up the main point of the Times article: kids, parents, teachers, anyone can easily tell if a page is encrypted. Here’s how to tell if a website encrypts data between their web site and your web browser, and back again, with a Secure Socket Layer certificate.

Secure Socket Layer (SSL) certificates are relatively unknown to non-technical people. There is the visually obvious part, what web site visitors see, and the behind the scenes technology.

What You See

It's easy to tell if the web site you're currently visiting uses SSL. Look up towards the top left of your web browser. If you see this, the site does not use an SSL certificate.

Example of Non-Encrypted URL
A Non-Encrypted Website URL Field

However, if you see a lock icon, or lock icon plus a company name, in the top left corner of your web browser, the web site uses an SSL certificate to encrypt traffic between your web browser and their web server:

Example of an Encrypted URL Bar
An Encrypted Website URL Field

If you click the icon to the left of the URL, a popup window should appear with details about the web site and the method of encryption used to deliver their web pages:

Twitter SSL Certificate Popup
Example of an SSL Certificate Popup

If you click the More Information button on this initial popup screen, you will see the actual SSL certificate in the web browser’s certificate viewer popup:

Twitter SSL Certificate Viewed in Certificate Viewer
Example of an SSL Certificate Viewer Popup

The SSL Certificate popup can be interesting but the key details are the level of encryption used and expiration date. Today, SSL certificates should use 256-byte encryption. No worries, though, you don't need to know what that actually means. If you do look at the SSL certificate popup, simply check the encryption used is 256-byte or higher.

Also, the fancy colored icon with company name is not necessary. It’s a feature companies pay extra to have. It’s an extra level of care, branding, and validation. You are as safe on a site without the coloring and company name if both sites use 256-byte encryption with the same vendor or another reputable vendor.

For most people, this is enough information to determine if the web site they're visiting passes their personal data in encrypted form. Many web sites do not need SSL because they don't use personal information. However, if you are on a web site where your personal information is displayed, check the top left of the web browser of every page to confirm your data is encrypted as it is sent back and forth across the internet.

Why does SSL matter? It is possible for someone to capture the non-encrypted traffic between you and any web site. They can capture your encrypted traffic but it doesn't mean much because they can't easily decode the traffic. Sites use SSL certificates to ensure all their data traffic is encrypted.

What You Don't See

How SSL certificates work is not too difficult to understand. In its simplest form, the certificate has to be attached to something in order to work. The certificate is attached to a physical computer with a unique address and connected to the internet.

On the internet, addresses for computers are called IP addresses, or Internet Protocol addresses. An SSL certificate is attached to a unique IP address and computer on the internet. Almost always, the computer is in a data center and controlled by a web hosting company.

If you are interested, internet addresses or IP addresses exist in one of two forms, either four blocks or six blocks. Each block has up to three digits. 1.1.1.1 is an IP address and so is 999.999.999.999.999.999. Every computer connected to the internet has its own unique IP address. We rarely see this address as humans, however. We only see the URL, for example, http://www.nytimes.com. But there are servers on the internet that translate the URL into its IP address to ensure web browser requests travel back and forth to the correct server. These translation servers are called Domain Name System servers or DNS. They work like address books: give an IP address to a DNS and it’ll hand you the human-readable URL. Hand a URL to a DNS and it’ll hand you the IP address.

Once assigned and configured to work on a computer, with a unique IP address, traffic from the web server to and from web browsers uses data included in the SSL certificate to encrypt and decrypt the data traffic.

Your personal details, for example, only appear in decrypted form in your web browser and on the web server as the web server works with your data. For example, the web server could pass your credit card data to another application to process for payment, usually through another transaction also secured with an SSL certificate.

Where to Get SSL Certificates

Because SSL certificates have to be assigned to a computer and internet address, almost all certificates are sold and managed by web hosting companies. Companies sell certificates to hosting companies who then sell the certificate to you for use with your web site hosting. In some cases, larger businesses buy certificates directly and attach them to computers they control in their data centers where they host web sites and web applications.

Learn More

Data Security is a Classroom Worry, Too

http://www.nytimes.com/2013/06/23/business/data-security-is-a-classroom-worry-too.html?pagewanted=all&_r=0

What Is SSL (Secure Sockets Layer) and What Are SSL Certificates?

https://www.digicert.com/ssl.htm
http://www.digicert.com/ssl-cryptography.htm

Domain Name System (DNS)

https://en.wikipedia.org/wiki/Domain_Name_System

SSL Certificate

https://en.wikipedia.org/wiki/SSL_certificate

Internet Protocol (IP) Address

https://en.wikipedia.org/wiki/IP_address

Also In The October 2013 Issue

An Interview with Troy Hunt

Troy Hunt is a software architect and Microsoft Most Valued Professional (MVP) focusing on security concepts and process improvement in a Fortune 50 company. He's based in Australia.

1Password, LastPass, RoboForm

If you use a password you created that is less than eight characters, your password is vulnerable to hacking. Here are three ways to create and use secure passwords online.

How to Write Secure Code

Coding securely doesn't have to kill the joy of programming. In fact, learning how to code securely provides insights into languages and computing.

How to Code HTML Email

How to code an HTML email like the ones you open every day turns out to be an offbeat software coding challenge.

What is an SSL Certificate?

How to tell if a web page is secure is one of the most basic yet least obvious ways to protect your data online.

Where to Find Command Line Interface Software

One key computing skill is the ability to use command line interface (CLI) software to enter commands to control a computer. Here are some options.

Lua

Lua is a comparatively simple programming language used in a wide range of places, from digital TVs to video games to phone applications. It's also designed to be simple to use and lightweight.

Arrays

Here is how three programming languages handle a common problem: how do you organize and keep track of useful data?

Linux Command List for Command Line Interfaces

Some of the most common commands you'll need for a command line interface (CLI), in a Linux command list.

Computer science education cannot make anybody an expert programmer any more than studying brushes and pigment can make somebody an expert painter.

News Wire Stories for October 2013

Must read stories about computer science, software programming, and technology for September 2013.

Learn More Links for October 2013

Links from the bottom of all the October 2013 articles, collected in one place for you to print, share, or bookmark.