What is SSL?
Recent developments in browser/server technology have made it
easy for people to use Web services without worrying about electronic
fraud. Two examples are Secure Sockets Layer (SSL) developed by
Netscape, and Secure Hypertext Transfer Protocol (S-HTTP) developed
by Terisa Systems, Inc. Both of these security protocols have
been submitted to the Internet Engineering Task Force (IETF) as
an Internet-Drafts. Basically, these protocols allow the browser
and server ends of a Web session to authenticate one another and
secure information which subsequently flows between them. Through
the use of cryptographic techniques such as encryption and digital
signature, these protocols:
Allow Web browsers and servers to authenticate each other; Permit
Web site owners to control access to particular servers, directories,
files or services; Allow sensitive information (e.g., credit card
numbers) to be shared between browser and server, yet remain inaccessible
to third parties; and Ensure that data exchanged between browser
and server cannot be corrupted - accidentally or deliberately
- without detection.
Public key certificates
A key component in the establishment of secure Web sessions via
the SSL or S-HTTP protocols is the public key certificate. Without
authentic and trustworthy certificates, protocols like SSL and
S-HTTP offer no security at all.
The credentials used to authenticate Web servers and their clients
via protocols such as SSL and S-HTTP are called X.509 public key
certificates. A public key certificate is analogous to a passport,
in that it proves your identity and is authorized by a trusted
third party known in the security world as a Certification Authority
or CA (see below). In the passport analogy, the CA is similar
to the Passport Office, which verifies your identification, creates
a recognized and trusted document which certifies who you are,
and issues the document to you.
CA's and third party trust
A Certification Authority (CA) is a trusted authority responsible
for issuing certificates used to identify a community of individuals,
systems or other entities which make use of a computer network.
By digitally signing the certificates it issues, the CA binds
the identity of the certificate owner to the public key within
the certificate, and thereby vouches for the trustworthiness of
the certificate. Network users possess the CA's own public key
certificate (sometimes referred to as the "root key"), and use
it to verify others' certificates. In doing so, they have assurance
that the public keys in those certificates are the authentic keys
of the named subjects, and know that the CA (whom they recognize
and trust) vouches for this binding. The CA plays a crucial role
in Web security, since the CA makes a third-party trust relationship
possible.
In a large, distributed and complex network such as the Web,
the third-party trust model is necessary since there are many
permutations of dynamic, client-server relationships. Servers
and clients may not have an established mutual trust; yet both
parties want to have secure sessions, which demands a foundation
of trust. The CA is the missing link which makes trusted Web sessions
a reality. Because each party in the session trusts the CA, and
because the CA has vouched for each party's identification and
trustworthiness by signing their certificates, each party recognizes
and has implicit trust in the other, so the secure session can
proceed without the risk of masquerading. Further, since the two
authenticated parties exchange public key certificates, they can
encrypt and digitally sign session data, removing the possibility
that others may eavesdrop on the session or tamper with data.