SSL Certificates Explained: A Deep Dive into Encryption, Attacks, and How HTTPS Secures the Web ๐
Source: Dev.to
Why SSL/TLS is Needed
When you open a website and see the ๐ lock icon in your browser, youโre benefiting from SSL/TLS, one of the most important security technologies on the internet.
The early internet was designed to share information, not to protect it. Protocols like HTTP sent data in plain text:
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
username=jack&password=123456Anyone on the same network (WiโFi, ISP, router) could read this request, leading to:
- Data theft
- Account hijacking
- Identity fraud
Core problem: How can two parties communicate securely over an insecure network?
Symmetric Encryption
Symmetric encryption uses a single secret key for both encryption and decryption.
Plain Text โโ(Secret Key)โโโบ Encrypted Data
Encrypted Data โโ(Same Secret Key)โโโบ Plain Text- Algorithms: AES, ChaCha20 (DES is now considered insecure)
- Characteristics: Simple math operations, very efficient for large data, used to encrypt actual website traffic.
Challenge: How do the client and server agree on the secret key? Sending the key over the internet would expose it to attackers, so symmetric encryption alone is insufficient.
Asymmetric Encryption
Asymmetric encryption uses a pair of keys:
- Public Key: Shared with everyone
- Private Key: Kept secret
Data encrypted with Public Key โโโบ Decrypted with Private KeyAnyone can encrypt data using the public key, but only the holder of the private key can decrypt it. This solves the secure keyโexchange problem.
- Algorithms: RSA, ECC (Elliptic Curve Cryptography)
- Characteristics: Secure key sharing but computationally expensive and slow, making it unsuitable for encrypting large amounts of data.
Combining Symmetric and Asymmetric: The SSL/TLS Handshake
SSL (now TLS) merges the speed of symmetric encryption with the secure key exchange of asymmetric encryption.
Handshake Overview
-
Client Hello โ The browser sends:
- Supported TLS versions
- Supported cipher suites
- A random number
-
Server Hello โ The server replies with:
- Its SSL certificate (containing the domain name, public key, CA signature, and expiry date)
- Chosen cipher suite
- Another random number
-
Verification โ The browser:
- Verifies the CA signature
- Checks the domain name and expiration date
- Blocks the connection if verification fails (preventing MITM attacks)
-
Key Exchange โ The browser:
- Generates a symmetric session key
- Encrypts it with the serverโs public key
- Sends it to the server
-
Secure Communication โ Both sides now share the same secret key and use fast symmetric encryption for all subsequent data.
SSL Certificate Essentials
An SSL certificate is a digitally signed document that includes:
| Field | Description |
|---|---|
| Domain name | e.g., example.com |
| Serverโs public key | Used for encrypting the session key |
| CA signature | Verifies authenticity (e.g., Letโs Encrypt, DigiCert, GlobalSign, Cloudflare) |
| Expiry date | Determines certificate validity |
Security Benefits of SSL/TLS
| Encryption Type | Purpose |
|---|---|
| Asymmetric | Secure key exchange |
| Symmetric | Fast data encryption |
SSL/TLS provides:
- Encryption: Protects data in transit.
- Authentication: Verifies server identity, preventing impersonation.
- Integrity: Detects tampering of transmitted data.
These protections mitigate attacks such as:
- Manโinโtheโmiddle (MITM)
- Packet sniffing
- Credential theft
- Data tampering
- Session hijacking
Modern browsers reinforce security by:
- Marking HTTP as โNot Secureโ
- Blocking insecure cookies
- Enforcing HTTPS for many APIs
Takeaway
SSL/TLS is more than just a certificate; it is a carefully designed system that:
- Solves key exchange securely
- Prevents impersonation of servers
- Protects data on hostile networks
Understanding how SSL/TLS works makes you a better backend engineer, ensuring that the services you build are secure by design.