The fast and simple answer is that since July of 2019, Google will mark your site as unsafe if you don’t have an SSL certificate.

And that means you’ll lose visitors to your site by the score.

But maybe you want to know more… If so, read on.

What is it?

Secure Sockets Layer SSL (also known as Transport Layer Security (TLS)

The Secure Socket Layer protocol was developed by Netscape for transmitting private documents via the Internet, and to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both ends of the transactions. The CA uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private key known only to the recipient of the message. All browsers currently in use support some level of SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:

Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard.

The difference between SSL and S-HTTP –

SSL creates a secure connection between a client and a server, over which can be sent securely

S-HTTP is designed to transmit securely.

Therefore, we can see that SSL and S-HTTP are complementary rather than competing technologies.

A (very) brief history:

1993 – Secure Network Programming (SNP) was one of the early efforts toward transport layer security. It explored the approach of having a secure transport layer API (Application Programming Interface) closely resembling sockets (socket = the endpoint of a bidirectional inter-process communication flow across an Internet Protocol-based computer network), to facilitate retrofitting preexisting network applications with security measures.The SNP project received the 2004 ACM Software System Award. (T M I nugget The Association for Computing Machinery, or ACM, was founded in 1947 as the world’s first scientific and educational computing society.)

(Although it was an impressive accomplishment at the time, many improvements have been made since then. )

How does it work?

The public key / private key mechanism

Encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key in the pair. The key pair is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt the message without the key pairs. The keys are similar in nature and can be used alternatively: what one key encrypts, the other key pair can decrypt. The trick in a key pair is to keep one key secret (the private key) and to distribute the other key (the public key) to everybody.

One of the difficulties of this method is how to obtain the public key of your correspondent. Usually, they will send you a non-confidential signed message that will contain the public key as well as a certificate.

When an SSL handshake occurs between a client and server, the level of encryption is determined by the browser, the client computer operating system, and in certain situations the SSL Certificate. There are several types of handshake –

  • the simple handshake, where the server is authenticated by its certificate
  • the client- authenticated handshake, where the client is authenticated via TLS using certificates exchanged between both peers.
  • the resumed handshake, in which, when the client connects again to a specific server, it can use the session id which has been associated with the server’s IP address and TCP port to shortcut the handshake. In the server, the session id maps to the cryptographic parameters previously negotiated.

In practical terms, via your browser

A browser requests a secure page (usually https://).

The web server sends its public key with its certificate.

  • The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
  • The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
  • The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
  • The web server sends back the requested html document and http data encrypted with the symmetric key.
  • The browser decrypts the http data and html document using the symmetric key and displays the information on the web page.

Is 128-bit SSL encryption really stronger than 40-bit SSL encryption?

You bet! Low-level encryption, 40- or 56-bits, is acceptable for sites with low-value information. However, a hacker with the time, tools, and motivation can crack the code in a matter of minutes.

High-level encryption, at 128-bits, can calculate 288 times as many combinations as 40-bit encryption. That’s over a trillion times stronger. That same hacker with the same tools would require a trillion years to break into a session protected by this level of encryption.This is typically the level of encryption used by financial institutions and credit card companies.

Why do we need it?

Well, apart from the whole Google thing, you need SSL if…

  • you have an online store or accept online orders and credit cards
  • you offer a login or sign in on your site
  • you process sensitive data such as address, birth date, license, or ID numbers
  • you need to comply with privacy and security requirements
  • you value privacy and expect others to trust you.

Every website that is used for gathering and transmitting customer’s information should use an SSL certificate in order to guarantee the safety of this information.

Most Internet users expect any personal information they provide via the Internet to remain confidential and integral.

Many people will never buy your products or services online, or give registration information on your site unless they are sure that their details will be secure.

What would happen without it?

Fire and brimstone coming down from the skies! Rivers and seas boiling!
Forty years of darkness! Earthquakes, volcanoes.
The dead rising from the grave!
Human sacrifice, dogs and cats living together… mass hysteria!

from Ghostbusters

Consumers have come to accept that merchants want and need their businesses and will work with the best security methods available to make online activity safe, secure and private.

The general effect of not having the kind of reliable security that SSL provides would be that much, if not all, of the commerce taking place on the Internet, would grind to a halt. Internet banking would become a thing of the past. (You’d be able to wallpaper your bathroom with your Amazon shares.) In fact, electronic communications of all kinds (e-mail, VOIP, etc) would be adversely affected.

Home     About     Blog     Contact     Privacy     Terms