2.0 How SSL works
2.1 - Transmitting Data Privately
SSL uses encryption and decryption to ensure that data is transmitted privately. It
works on the public-and-private key encryption system from RSA. The web server
contains a private and public key "signed" by a Certificate Authority. The public key
is used to encrypt data, but it can only be decrypted using the private key. SSL
uses two types of encryption: public key and symmetric key.
Public (Asymmetric) key encryption
Public key encryption uses a key pair made up of a public and a private key. The
keys are mathematically linked; that is, data encrypted with one key in the pair can
only be decrypted using the other key in the pair. The public key can be distributed
and made generally available. The private key is kept private.
A web server and web browser use public key encryption when first establishing
communications with each other. Specifically, it is used during the SSL handshake
when the web browser authenticates the web server. After the handshake is
complete, the web server and web browser switch to the more efficient symmetric
key encryption for the remainder of the transaction.
Symmetric key encryption
Symmetric key encryption uses a single key. The web browser and the web server
create the key (called a session key) during their initial interaction (the SSL
handshake). The same key is used to both encrypt and decrypt the data. This
encryption ensures that no one else can read the data being transmitted in either
direction. A different session key is used for each server/browser connection, and
the session key automatically expires after twenty-four hours.
2.2 - Ensuring the Data Is Not Altered During Transit
SSL uses cryptographic hashing to ensure that no one alters data during transit.
Cryptographic hashing creates a unique hash value based on the content of
transmitted data. The content of the data cannot be determined from the hash
value and it is nearly impossible to compose another message that computes to the
same hash value. Both the web server and the web browser compute hash values
using the same hashing algorithm. If the hash values are the same, the data was
not altered.
When sending data to a web browser, the web server computes a hash value for
data then sends the hash value and the data to the web browser. When the web
browser receives this information, it computes its own hash value for the data then
compares the two hash values. If they match, the web browser is assured that the
data was not altered during transit. A similar process occurs when the web browser
sends data back to the web server. The web browser computes a hash value then
sends it and the data to the web server. The web server computes a hash value for
the data and compares it to the hash value computed by the web browser.
This process assures web browser users that information they receive from the web
server has not been altered and that information they fill in on an HTML form is not
altered before it reaches the web server.
2.3 - Authenticating the Web Server
SSL uses digitally signed certificates to authenticate the web server, that is, to
assure the web browser that it is communicating with the organisation it thinks it is.
A certificate is a data structure that contains information about the organisation. It
also contains the public key of the organisation’s public/private key pair. Because
the certificate contains the public key, it binds a public/private key pair to the
organisation. The key pair is used for public key encryption during the SSL
handshake.
A server certificate is a certificate that attests to the identity of an organisation that
owns a web server. Certificates are issued by certificate authorities such as
VeriSign. A certificate authority is a trusted company or organisation that confirms
that an organisation is what it claims to be.
To obtain a server certificate, an organisation must send a certificate signing
request (CSR) to the certificate authority. After conducting research to ensure the
organisation is what it claims to be, the certificate authority digitally signs the
certificate and sends it to the organisation that requested it.
To create the digital signature, the certificate authority computes a hash value
based on the contents of the certificate.
A hash value is an error-checking value derived from the addition of a set of
numbers taken from data (not necessarily numeric data) that is to be processed or
manipulated in some way. After processing, the hash total is recalculated and
compared with the original total. If the two do not match, the original data has
been changed in some way.
The certificate authority then encrypts the hash value with its private key. The
digital signature is the encrypted hash value. The digital signature is stored with
the certificate.
When the organisation that requested the certificate receives the certificate, it
loads it to its web server. When an SSL request is made, the web server sends the
certificate to the web browser. When the web browser receives the certificate, it
can read the information about the organisation and its public key.
To validate the certificate to ensure it contains the information digitally signed by
the certificate authority, the web browser verifies the digital signature. Because the
digital signature is an encrypted hash value that was computed based on the
contents of the certificate, the web browser needs to compare hash values. The
web browser computes a hash value based on the contents of the certificate it
received. It then decrypts the digital signature to determine the hash value that the
certificate authority computed. If the two hash values match, the web browser is
assured that the certificate contains the information that the certificate authority
verified and digitally signed.
2.4 - The SSL
Record Protocol
An SSL record consists of two parts, the header and the data. The header can either be 3 bytes in
length or 2 bytes in length, the latter being employed if there is no padding data. The escape bit is
not used in version 2 of the protocol but it is suggested that it is used to designate Out-Of-Band
data in future versions. For a 2 byte header, the maximum record length is 32767 bytes whereas a
3 byte header will only allow a record length of up to 16383 bytes.
The data part of the record consists of a Message Authentication Code (MAC), the actual data itself
and padding data, if required. It is the data part of the record which is encrypted in its entirety
when encryption is necessary. Padding data is only required for use with block ciphers. It is used to
pad out the length of the data block to be a multiple of the block size of the cipher. If a stream
cipher is used or the data is already a multiple of the block size, then no padding is required and a
2 byte header record can be used. The MAC is a hash or message digest of the secret write key of
the sending party, the actual data, the padding data and a sequence number in that order. The
sequence number is a 32 bit integer which is incremented after each message is sent.
2.5 - SSL Handshake
The SSL handshake occurs when a web browser user first requests information from a web server
that is using SSL.
The following is accomplished during the SSL handshake:



The web browser and the web server negotiate the cipher suite they will use for the rest of
the security services.
The web browser authenticates the web server.
The web browser selects and transmits a symmetric key to the web server.
The handshake protocol is composed of two phases.
Phase 1 deals with the selection of a cipher suite, the exchange of a master key and the
authentication of the server.
A cipher suite is made up of three techniques:

Key exchange technique--This is how the web browser and web server will exchange the
symmetric key that will be used for the symmetric encryption that takes place after the
SSL handshake is complete.

Symmetric encryption technique--This is the type of symmetric encryption to be used, for
example, RC2 or RC4.

Hashing technique--This is the type of hashing the web browser and the web server will
use to ensure the data is not altered during transit.
Phase 2 handles client authentication, if requested and finishes the handshaking. After the
handshake stage is complete, the data transfer between client and server begins. All messages
during handshaking and after, are sent over the SSL Record Protocol layer.
To allow the web browser to authenticate the web server, the web server sends its server
certificate to the web browser. The web browser validates the server certificate.
The web browser selects an appropriate symmetric key for the type of symmetric encryption to be
used. It then encrypts the symmetric key using the web server's public key. (The web browser
obtained the web server's public key from the server certificate.) The web browser then sends the
encrypted key to the web server.
Using its private key, the web server decrypts the symmetric key. Now both the web browser and
the web server have a secret key that they will use to send data back and forth. The handshake is
complete.
2.6 - SSL and The ISO Reference Model
It is important that any new communications protocol conform to a standard model if it is to easily
replace or become part of an existing protocol structure. The ISO Reference Model for Open
Systems Interconnection or 7-Layer Model is the most popular abstraction [HAL93].
Figure 2.1
2.7 - Example of an SSL Transaction:
The web browser user enters a URL to access information from a web server that is using SSL, for
example:
1. https://www.company.com:443/
2. The web browser and web server perform the SSL handshake, which consists of the following
steps:



The web server and the web browser negotiate what cipher suite they will use.
The web server sends its certificate. The web browser authenticates the web server by
validating the web server's certificate.
The web browser and web server create the symmetric encryption key that they will use to
send data back and forth privately.
3. The web server sends the requested data to the web browser by performing these steps:



Computes the hash value for the data.
Encrypts the data and hash value using the symmetric encryption key.
Sends to the data and hash value to the web browser.
4. The web browser receives the data and hash value. Then it:


Decrypts the data and hash value.
Creates a hash value for the data.


Compares its hash value to the hash value the web server computed.
Displays the data if the hash values match.
5. The web browser user fills in information on an HTML form and uses the submit button to return
the information to the web server.
6. The web browser sends the HTML form data to the web server by performing these steps:



Computes the hash value for the data.
Encrypts the data and hash value using the symmetric encryption key.
Sends to the data and hash value to the web server.
7. The web server receives the data and hash value. Then it:



Decrypts the data and hash value.
Creates a hash value for the data.
Compares its hash value to the hash value the web browser computed. Continues
processing the request if the hash values match.
The process continues with steps 3-7 until the SSL transaction ends.
Introduction
Sending encoded messages through a network of third parties has been done for
centuries. Julius Caesar encoded messages by shifting the alphabet. The Incas tied
knots on to a "quipu" which only they could decode, and runners would transport
their secrets across the vast Incan empire.
Definitions
Today when you are in a face-to-face negotiation with someone you take for
granted that you have "availability", "authenticity", "integrity", and "privacy"
during the conversation. Let me define these four terms, for they all necessary to
insure a secure electronic transaction over the Internet.
Availability
Availability is sending and receiving information without interruption.
You want to be sure that not only did you get the entire message, but
that the other party got your message as well. During a conversation
you can tell when the other party is not listening to you.
Authenticity
Authenticity is making sure that the person you are talking to is really
who they are. As human beings we are very good at recognizing faces
and voices, so we know who we are talking to. Even if we do not
know someone, we can ask for some form of identification such as a
driver's license.
Integrity
Integrity is sending and receiving information without modification.
Your data should not be tampered with.
Privacy
Privacy is not having people eavesdropping on your conversation.
Intercepting messages during World War II lead to the United States
of America winning at least one naval battle.
Your credit card information will travel over the Internet, being relayed from
computer to computer in a manner similar to the Incan runners. On the Internet you
want to have availability so that you can access the Web server and complete your
transaction. You must have authenticity to be sure the merchant you are dealing
with is legitimate. You need integrity so that zeros do not get added to invoice
amounts. You need privacy so that no one intercepts your credit card number. This
is accomplished by using Secure Socket Layer (SSL).
What is SSL
SSL is the most widely used security protocol on the Internet. SSL was developed
by Netscape and resides at the transport layer. Because SSL resides at the transport
layer it is application independent, meaning it can work transparently with other
Internet protocols such as http, ftp, and telnet. SSL is composed of two layers. At
the lowest level is the SSL record protocol which is layered on top of the transport
protocol. It is used for encapsulation of the SSL handshake protocol.
The SSL handshake protocol enables the client and the server to authenticate each
other. It also negotiates an encryption algorithm and cryptographic keys before the
application protocol (https) starts transmitting or receiving. The SSL handshake
protocol has two phases, server authentication and client authentication. The client
authentication phase is optional.
SSL works with a pair of asymmetric keys for encryption and decryption, and
certificate authorities (CA). The asymmetric keys make it possible to communicate
without a pre-established relationship. They are made up of a public key which is
freely distributed, and a private key which never goes across the Internet. A public
key and private key pair are mathematically related. Cryptography is the
mathematics of security.
Certificate Authority
A certificate authority is a trusted third party. One could say the State of Florida is
a CA, because it issues driver's licenses. A driver's license is a certificate because it
says that the person matching the picture and the signature on the driver's license is
indeed the name that appears on the driver's license.
On the Internet, before a CA will issue a certificate it will run a background check.
How thorough the background check is depends on what kind of certificate you
want and are willing to pay for. For example, VeriSign, a leading CA, will issue
you a client certificate which costs US$9.95 per year. All you need to supply is
your first name, last name, and electronic mail address of which only the last one is
verified. In exchange, you get up to US$1000 protection against economic loss
caused by corruption, loss, or misuse of your digital certificate. It can be revoked or
replaced for free if it is lost or corrupted. Of course there are more expensive
certificates, with stricter background checks, which merchants on the Internet use
for electronic commerce.
How SSL works
SSL works in the following way. A browser connects to a Web server. The Web
server responds by sending its digital certificate. The server's digital certificate
contains the server's public key, the CA's public key, the server's digital signature
algorithm, the CA's digital signature, and other pertinent information.
The browser can prove the identity of the server and verify the message digest of
the server by using the public key taken from the certificate and checking the result
against the certificate of the CA that it has. Browsers contain certificates of several
CA. You can view them by clicking on the appropriate browser configuration
option. The browser recognizes the CA certificate, and since the CA is a trusted
third party guaranteeing the identity of the Web server, the Web server is
authenticated.
SSL generates four session keys, which are only valid for that session. The keys
usually expire within 20 to 30 minutes. The keys are: an encryption key for data
sent from the browser to the server, an encryption key for data sent from the server
to the browser, an authentication key for data sent from the browser to the server,
an authentication key for data sent from the server to the browser. This is known as
the SSL handshake, and once established, encrypted data is sent across the Internet.
The data is encrypted using a symmetric cipher algorithm. This strengthens security
by using the secret as another key.
At this point someone cannot discover the secret, but they could interrupt the
communication by damaging the secret. Someone could pass most of the
information back and forth unmodified, but if lucky could successfully garble an
important message after the client and the server shared a secret. The side receiving
the message will trust and probably believe the garbled message, and act on it. If
this does not produce a valid message, the communication can stop immediately.
The browser and the Web server can add a Message Authentication Code (MAC)
which is a piece of data computed by using a secret and some transmitted data. The
message digest algorithm is a way to build a MAC function. Now the chance of a
message being intercepted and modified is extremely small. For example, with an
MD5 digest algorithm using 128-bit MAC values the chances are 1 in 2128. Your
chances of winning the Florida lottery are slightly better than 1 in 2 24. With these
odds one can feel pretty confident that communication between browser and Web
server is secure.
SSL Certificates Reviewed
SSL Certificates are essential for transmitting data securely over the Internet and for providing authentication.
Standard on most Web servers and Web browser packages, SSL is used by Internet merchants, organizations
and other parties to securely transmit data, such as credit card information.
This article delivers a comprehensive review of SSL and digital certificates, with useful resources, reviews of SSL
certificate authorities, SSL technology, benefits, your SSL options and a whole lot more.
What is SSL?
Short for Secure Sockets Layer, SSL is a protocol developed by Netscape for transmitting private documents via
the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection.
The SSL protocol uses digital certificates to create a secure, confidential communications 'pipe' between two
entities. Data transmitted over an SSL connection cannot be tampered with or forged - without the two parties
becoming immediately aware of it.
Secure Sockets Layer (SSL) - Key Points












SSL is the standard security technology for creating an encrypted link between a Web server and a
browser.
SSL is used by millions of Web sites to protect their online transactions ? Ecommerce stores,
Merchants, and other organizations all use 128-bit, 56-bit or 40-bit encryption.
SSL is a standard part of most Web servers and Web browser packages. SSL just needs to be
'activated' on Web servers.
SSL (https) operates on port 443. HTTP operates on port 80.
3rd party credit card processors (or ISOs) provide SSL security when your customers are transferred to
their secure site. But you still may need SSL for member logins, registering accounts and other
occasions whenever sensitive info. is transferred on your Web site.
SSL deals with encryption only. For security and trust, the site also needs to be authenticated by a
Certificate Authority - which helps prove you are who you say you are.
A 'secure' page is one that has https:// in the browser bar (instead of http://).
'secure' page also displays a 'lock' icon in the status bar at the bottom of the page in both Internet
Explorer and Netscape browsers (toolbar).
Lock icon only indicates that SSL encryption is being used. You must click on the padlock icon (or a CA
seal) to view information about the encryption levels, certificate paths and authenticity of the Web site.
SSL requires a bit more processing power than normal http pages. Only use on pages you need to when a customer/client starts supplying their information.
SSL does not support name-based virtual hosts.
An SSL certificate is issued to a fully qualified domain name (FQDN). One SSL certificate is required



per FQDN.
Each SSL certificate requires its own unique IP address. SSL can't be configured on name-based hosts
unless the VirtualHosts use different SSL ports.
SSL certificates are generally offered for 1 or 2 year periods.
Most browsers have built-in security measures alerting you when you're viewing an SSL secure server
page. Many browsers, including IE and Netscape also alert the user when there are problems with the
Web site's digital certificate and if your information is not secure.
Table 1.1 - Secure Sockets Layer (SSL) - Key Points.
SSL Secure Padlock
As noted in Table 1.1, a page using SSL encryption displays https:// in the browser bar and shows the padlock
icon in the status bar (in IE). Clicking on the padlock icon reveals the SSL certificate and its details.
Figure 1.1 - 'Lock icons' are displayed in the bottom right-hand corner of the screen. The above screenshots
show examples of the padlock icon in Internet Explorer and Netscape browsers.
Figure 1.2 - View detailed information about the Web site's digital certificate by clicking on the padlock icon or by
clicking on a site seal (which is a pretty authentication seal offered with many (but not all) SSL certificate
packages.
As you can see from Figure 1.2, clicking on the padlock icon brings up a popup window with three tabs (in Internet
Explorer) - General, details and certification path. Here are some details which you may like to check out:
Certification Path: Shows you who is the trusted CA authority issuing the certificate (if any). You'll see the
trusted authority with a chain to the Web site in question. If the Web site is using a chained SSL (aka
intermediate) digital certificate, then you'll see the 'chain' of certificates (one 'trusted', one 'intermediate', then
finally the Web site's SSL server certificate. We'll discuss chained SSL certificates later on in the article.
Details: The details stored by a digital certificate vary between certificate authorities. You can view the encryption
strength (128-bit or 40-bit), identified by RSA (1024 bits) and RSA (512 bits), validity dates of the certificate,
methods of validation, the domain name the certificate is issued to and more. Click on 'subject' in the details
category for more information on the SSL certificate.
SSL Certificates - Their Uses
SSL certificates are used to secure confidential information sent over the Web. SSL is used by



Merchants to send credit card details to payment gateways for processing
Securing information sent over corporate intranets
Providing authentication and security for applications
Many Web sites have areas of their Web sites displaying 'sensitive' information. SSL is required to ensure
security and trust. For those transferring sensitive information, 128-bit encryption is industry standard for
encryption.
SSL Benefits
SSL is essential for sending sensitive information on the Web. Key benefits include:



Customers will only submit their credit card information if they know that it is secure
Your end-users will know they are dealing with a trustworthy partner - if authenticated by a CA (more
details on this later)
Your business will gain a competitive edge over those foolish enough to not use SSL encryption
Transport Layer Security
Transport Layer Security (TLS) is the newest version of the SSL standard. There will be no more SSL versions (of
which there were three versions). The Internet Engineering Task Force (IETF) are behind working on the new
TLS protocol.
As with SSL, TLS ensures that no third party may eavesdrop or tamper with any message.
TLS is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. The TLS Record
Protocol provides connection security with some encryption method (can also be used without).
The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an
encryption algorithm and cryptographic keys before data is exchanged.
The TLS protocol is based on Netscape's SSL 3.0 protocol. The most recent browser versions support TLS. The
TLS Working Group, established in 1996 by the IETF, continues to work on the TLS protocol and related
applications. More information can be found at IETF.org.
Useful SSL Resources
Secure Sockets Layer - As guide from Netscape - Find some good information from the creators of the SSL
protocol - Netscape. Find out how SSL works, digital certificates - and how to get a certificate for your server. An
informative read.
SSL Specification - View the SSL specification from Netscape.
SSL and TLS - SSL and TLS: Designing and Building Secure Systems by Eric Rescorla is a popular book on SSL
receiving good reviews at Amazon.com. If you're looking for comprehensive information on SSL, TLS and digital
security, then this book comes highly recommended by industry pros.
SSL Crypto Strength
SSL provides encryption between Web browsers and Web servers. This encryption is based on the RSA algo
(rsasecurity.com). Encryption can be done at different 'strengths', depending on what the software supports at
each end. The strength is specified by the length of the session key (more on this soon). Encryption can be 40-bit,
56-bit or 128-bit.
Cryptographers consider 128-bit impossible to crack and is the recommended and standard for banks, large-scale
online merchants, brokerages and many other organizations. 128-bit is approximately 3x10^26 times stronger
than 40-bit encryption.
Browser Types
The USA restricted the export of strong encryption products meaning that many browser versions developed for
export from the US were not automatically enabled to encrypt 128-bit encryption. Most SSL Certificate Authorities
provide SSL certificates which enable 128-bit encryption - no matter what browser type they have.
Cryptology and Digital Certificates
Cryptology and Digital Certificates - Key Points
Key Management ? The term 'key' refers to a numerical value used by an algorithm to alter information.
Encryption makes that information secure and visible only to individuals who have the corresponding key to
recover the info.
'Key Management' refers to the secure administration of keys to provide them to users where and when they
are required.
Symmetric Cryptology ? Uses the same key for both encryption and decryption. There's always the problem of
how to securely transfer the keys to the recipients of the message, so they can decrypt the message.
Public-key Cryptology ? Removes the need to use the same key for encryption and decryption. Keys come in
matched 'public' and 'private' keys. The public part can be distributed in a public manner. The private part is kept
secret by its owner. Encryption can only be undone with the corresponding private key.
The mechanics of public-key encryption ensure that a stolen certificate is useless.
Table 1.2 - Cryptology and Digital Certificates - Key Points.
Digital Certificates and SSL
Digital Certificates are electronic files that are used to uniquely identify people and resources over networks.
Digital certificates also enable secure, confidential information between two parties.
A digital certificate typically includes a variety of information pertaining to its owner and the Certificate Authority
that issued it. A Certificate Authority is an organization responsible for issuing, revoking and renewing digital
certificates. A Certificate Authority (CA) acts very much like a Passport Office.
By using a variety of validation techniques (send in documents, domain name validation, telephony and more), a
CA authenticates a business - adding to consumer confidence that your business is a legitimate one.
By clicking on the padlock icon on any 'secured' page, you can view the Certificate information. Typically,
information includes:





Name of holder and other identification info. (some include more details than others)
Holder's public key
Name of the CA that issued the digital certificate
Serial number
Validity period (or lifetime) of the certificate (start and end date)
In creating the SSL server certificate, the information is digitally signed by the issuing CA. The certificate is based
on public-key cryptology.
Web server certificates ? A certificate that authenticates the identity of a Web site to visiting browsers. When a
browser wants to send confidential information to a Web server, the browser will access the server's digital
certificate.
The digital certificate, which contains the Web server's public key is used to a) authenticate the ID of the Web
server and b) Encrypt information on the server using SSL.
CA certificates ? A CA certificate is one that identifies a Certificate Authority. CA certs. are just like other digital
certificates, except they are self-signed.
The CA certificate is used to authenticate and validate the Web server certificate. When a Web server
certificate is presented to a browser, the browser uses the CA cert. to determine whether to trust the Web server
certificate. If it is not trusted, then the server certificate is rejected and you'll get warnings from your browser
stating so.
CA certificates come pre-installed on most web browsers. To view a list of Trusted Root CA Certificates (aka
Single Root Certificates) stored on your browser, navigate to the following:
Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities
How Digital Certificates are used in an SSL Transaction
Figure 1.3 - How Digital Certificates are used in an SSL Transaction.
The SSL "Handshake" is the process of identifying the two parties that want to establish an SSL connection is
complete, and a secure communications "pipe" has been established. The entire process happens transparently
and takes only seconds - as illustrated in Figure 1.3.
Currently, browsers such as Internet Explorer and Netscape do not distinguish between high-assurance
(authenticated) and low-assurance (unauthenticated) certs. A visitor must click on the padlock icon (or authentic
seal) to view validation and authenticity of the
Web site provided by a Certificate Authority (if any).
Authentication
For added security and trust, authentication by a third-party is recommended. Encryption is not enough.
Anyone can use encrypt with SSL by self-signing a certificate, and some 'authorities' even distribute
unauthenticated certificates.
Authentication means that a trusted authority can prove that you are who you say you are. A secure Web site
involves both encryption AND authentication from a trusted Certificate Authority.
Authentication ? Typically, the "signer" is a Certificate Authority (CA). However, some are not CAs, and many
are even self-signed by merchants and scam-artists themselves. And some companies who state they're a CA,
provide unauthenticated SSL certificates, ie their certificate isn't trusted and they don't use chainedSSL to inherit
trust from trusted root certificates. This practice exposes users to the risks of false online storefronts.
Authentication - Key Points
Authenticated SSL certificates enable a Web site visitor to:

Securely communicate with the Web site, such that info. cannot be intercepted (confidentiality) or



altered without detection (integrity).
Verify that the user is actually visiting the company's Web site and not an imposter's site.
Seeing a padlock icon is not enough ? You need to view the certificate to see what authentication
methods (if any) have been used.
Sending info. with SSL encryption without authentication from a trusted third-party (a CA), can be
likened to sending a confidential letter to the wrong address.
Table 1.3 - Authentication - Key Points.
How Authenticated SSL Works
Certificate authorities use a variety of methods to authenticate a business. For example, Verisign use manual
verification of an organization's validity. Their checks include:



Confirmation that the organization named in the certificate has the right to use the domain name
included in the certificate
Confirmation that the the organization named in the certificate is a legal entity
Confirmation that the individual who requested the SSL cert. on behalf of an organization has the right to
do so
Manual validation usually involves the requesting company to fax in various documents. This process can take
several days or longer - but is the most thorough of authentication methods.
Some CAs only validate the right of an entity's right to use a domain name - not a very reliable method.
Manual validation ? Validation of domain name ownership and business legitimacy. Send in/Fax documents to
the Certificate Authority. Can take 2, 4 days or longer.
Automatic Validation ? Many companies are cutting their costs considerably (and offering far cheaper SSL
certs.) by using automatic validation methods. These use computers, databases and automated routines to check
business legitimacy.
Common automatic validation methods include a) Domain control validation b) ChoicePoint (Equivalent to Dun
and BradStreet) - visit www.choicepoint.com. c) Automated Telephony, whereby they'll give your number a call to
validate address etc.
Before requesting an SSL certificate from an authority, be sure to find out what is required for your business to be
authenticated and how long it will take. Automated validation can take just minutes or a day or less.
Applying for an SSL - The Certificate Signing Request
A Certificate Signing Request (CSR) is a public key that you (or your Web hosting provider if you don't have root
access to your Web server) generate on your server that validates the computer-specific information about your
Web server and organization. You need to generate a CSR request and paste the resulting code into a CA's SSL
enrollment form.
How you generate your Certificate Signing Request will depend on your Web server and set-up. You can usually
find step-by-step guides on how to generate a CSR in your Web server documentation or documentation provided
by a Certificate Authority.
Verisign's Apache Server with Modssl CSR guide is one such example walking you through the process of
generating a CSR.
If you are a merchant and wish to use your own SSL certificate, then contact your Web host and they should set
you up with a unique IP address (which is required for a SSL), and generate a CSR for you.
You generate the private key (which you keep secret) and also the CSR (which you send off to the CA) A CSR
request looks something like this:
-----BEGIN CERTIFICATE REQUEST----MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG
A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56
YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S
6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw
DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu
pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh -----END CERTIFICATE REQUEST----Once the verification has been done, the CA signs-off on the public key. The Public key then comes back to the
Webmaster (or host), who then loads it into the Web server. As soon as both the private and public keys (a
matching pair) align perfectly, the SSL will start functioning. For each SSL session, the client sends the server a
session key (40-bit, 128-bit) encrypted using the server's public key.
How to tell if a Web site is Authentic?
Internet Explorer and Netscape Navigator browsers have built-in mechanisms to prevent users from submitting
their information over unauthenticated channels (as do other browsers).
Netscape's default is to show alert the user when they request an encrypted page using SSL. The 'warning box'
will also tell you if there are any problems with the certificate too.
IE, Netscape and most likely many other browsers display warnings if you try to submit secure info. on an SSL
page when there's a problem with the certificate. A 'problem' is usually one of the following:
a) Not trusted by a recognized CA. b) The certificate doesn't match the domain c) Going to a different domain
(usually when using SSL - whether this displays or not depends on the browser).