AUTHENTICATION/SSL-CERTIFICATES

Authentication 2/7 : SSL Certificates

This article of the Authentication series talks about how authentication and encryption can be achieved using SSL Certificates with detailed working.

SSL Certificates, i.e. Secure Sockets Layer Certificates, are digital certificates that authenticate a website’s identity and enable an encrypted connection. Now imagine you have created on website for shopping, you are planning this publically and this website is supposed to handle Credit and debit information too. Before SSL certificates, info/data sent from the customer’s browser to the web server was in plain text, leaving it vulnerable to eavesdropping and tampering, Well, it was risky right? To overcome this issue, Netscape Communications Corporation introduced the Secure Socket Layer (SSL) protocol in 1995, which uses SSL certificates to verify the authenticity of servers to users and encrypt the users’ data/info to the web server.

An SSL certificate is a data file hosted in your website’s origin web server. It contains:

• The domain name to which the certificate was issued.
• Which person, organization, or device it was issued to.
• Which certificate authority issued it.
• The issuer’s digital signature.
• Associated subdomains.
• Issue date.
• Expiration date.

Usage

SSL Certificates serve two main purposes: Authentication and Encryption.

• Authentication/Validation: SSL Certificates verify the identity of a website. For instance, when your customer will log into your shopping website, the SSL Certificate verifies that they indeed interacting with your shopping’s official website and not a phishing site designed to steal your login credentials.
• Encryption: They encrypt the data transmitted between the user and the site, ensuring it can’t be stolen or altered en route. For example, when your customer is ordering from your shopping website and enters credit card details at checkout, the SSL Certificate encrypts this information.

Set up

Once your application is deployed on your prod server, we need to install SSL certificates on that server. While the specifics of setting up or installing SSL Certificates may vary depending on the server, here’s a generalized step-by-step guide:

1. Acquire or Generate an SSL Certificate: You can purchase a certificate from a trusted Certificate Authority like DigiCert, Comodo, or Symantec. Alternatively, you can generate a free one from Let’s Encrypt.
2. Activate the Certificate: To activate the certificate, you’ll typically need to provide the Certificate Signing Request (CSR) from your server. Most hosting providers, like Bluehost or GoDaddy, will guide you through these steps via their dashboards. A CSR is a block of encoded text that contains information that will be included in your certificate such as your organization name, domain name, locality, and country.
3. Install the Certificate: Once the Certificate Authority has provided you with the SSL Certificate, install it on your server. Most hosting providers have a feature to install it directly. For example, in cPanel, you would go to ‘SSL/TLS’ > ‘Install and Manage SSL for your site (HTTPS)’ > ‘Manage SSL Sites’, and then paste your certificate and private key into the corresponding boxes.
4. Update Your Site To Use HTTPS: Ensure your shopping website uses ‘https’ in its URLs. You may need to update your website configuration or use tools like Really Simple SSL for WordPress. For instance, in WordPress, you can go to ‘Settings’ > ‘General’ and update your WordPress and site URL to use ‘https’.

Working

With SSL Certificate installation, your shipping website will be accessed using https , let’s explore how exactly this https connection which uses SSL protocol for securing the connection, is established :

When a browser attempts to access a website secured with SSL, it and the website’s server establish an SSL handshake. This handshake involves:

1. Client Hello: When a customer’s web browser attempts to access your shopping website secured with HTTPS, it initiates the handshake by sending a “Client Hello” message to the server. This message includes the SSL/TLS versions and the cipher suites the browser supports, along with a random byte string known as “Client Random.”
2. Server Hello: The server responds with a “Server Hello” message, which includes the SSL/TLS version and the cipher suite selected by the server from the list provided by the browser. The server also sends its own random byte string known as “Server Random,” and a copy of its SSL Certificate.
3. Certificate Verification: The browser verifies the server’s SSL Certificate with the certificate authority to ensure it’s valid and trustworthy. This is done by checking if the certificate is signed by a trusted Certificate Authority (CA), if it’s not expired, and if it matches the server’s address.
4. Pre-Master Secret Creation: If the certificate is valid, the browser creates a random Pre-Master Secret and encrypts it with the server’s public key (obtained from the server’s SSL Certificate), then sends the encrypted Pre-Master Secret to the server.
5. Decryption: The server decrypts the Pre-Master Secret using its private key.
6. Session Keys Generation: Both the server and the browser use the Client Random, Server Random, and the Pre-Master Secret to generate the session keys. These session keys are symmetric, which means both parties will use the same keys to encrypt and decrypt the information exchanged during the session.
7. Secure Communication: The browser sends a “Finished” message encrypted with the session key, indicating it’s ready to start the secure communication. The server will decrypt the message using the session key, and if it’s valid, it will start the secure session. All data exchanged during this session is encrypted with the session key.

image by Pravinkumar Singh

Voila, a secured connection is established, happy online shopping.

I hope you liked this article, I suggest reading the next article about password-based authentication.

Peace.