Communications on the internet can be of two types, encrypted or unencrypted. The internet connections can be intercepted by anyone who can be interposed in the connection, or also simply be able to see its flow (for example in the case of computers on the same network). Being a unencrypted communication, those who manage to intercept can see its contents. Think when you log in to a web page.
A malicious user may be able to read the login data, with foreseeable consequences, consider, for example, login data to access a bank account.
Because of the risk to which internet connections are subjected a encryption technology has been developed, called SSL (Secure Sockets Layer) and evolved into TLS (Transport Layer Security) that applied to connections Web / HTTP is called HTTPS.
The operation of an HTTPS connection
The encryption is based on a double key system, where a key, called the “public”, is sent to all clients, while the second key, called the “private” is known only by the server. The data encrypted with one key can be decrypted only with the other key.
The operation of an HTTPS connection succinctly is this:
- The client connects to the server.
- The server sends to the client a SSL certificate, which includes the domain name of the site and the public encryption key.
- The client sends a new encryption key, encrypted with the public key sent from the server.
- If the server is able to decrypt this key, proves its authenticity and the connection is established.
- Data is exchanged as any HTTP connection, encrypting that with the exchanged keys.
But what is the certificate exactly? It would be easy for an attacker to interpose itself between the client and the server, and impersonating the server with the client.
The certificate guarantees that the public key contained in it belongs to that particular domain because it has been verified by an authority that the client trusts.
So, anyone who comes between client and server, can’t impersonate the server in any case, as it could not obtain a certificate that is trusted by the client and although it copied the original server certificate, it would not have the private key to complete all steps in the connection.
The role of the SSL certificate
L’ultima questione, riguarda il modo con cui i client ritengono un certificato affidabile. Si tratta di una catena di fiducia. I produttori di sistemi operativi e di browser inseriscono nel proprio software i certificati delle Authority che loro ritengono affidabili. Con un meccanismo analogo a quello delle connessioni crittografate, le chiavi private di questi certificati, vengono usate dalle Autority per firmare altri certificati. Così i browser quando ricevono dal server un certificato, verificano se è firmato con uno dei certificati che possiedono. In caso di corrispondenza autorizzano la connessione mostrando il lucchetto verde.
The Authority issue certificates SSL, checking first if the applicant is the actual owner of the domain. The easier verification is made by sending an email to a box with the chosen domain. Each Authority according to the certificate purchased, uses a system of validation. The visitor clicking on the green padlock in the browser can obtain information sull’Autority that issued the certificate. A most famous brand, gives more security to the customer. Moreover, almost all of the Authority, allow their customers to show a “siteseal” on the site, that is a logo of the Authority, which gives more security to users.
Best SSL certificates for purchase, are those EV (Extended Validation). As you can guess more stringent inspections are carried out by the Authority and this leads to get not only the green padlock, but also a green bar on the address bar with the name of your company, which gives more security to the visitors that the company has been certified and existing. It is generally used on eCommerce websites to give more security on the reliability of the company.
At Scudlayer, we recently launched our line of SSL Certificates with ultra competitive prices starting from only 4.90 Euro! We have Comodo, Symantec, Thawte, GeoTrust certificates and more. If the certificate you are looking for is not on the page, or you want to buy an EV certificate, contact us and we will provide you the best price.