When a Web site purchases and installs an SSL Digital Certificate, it then has the capability to serve pages over SSL. From a users standpoint, this simply means that they have followed a link to a site name using the form https://www.sitename.com rather than http://www.sitename.com (notice the "s" in the first "https://...") There is not a great deal of extra work for the user, but what happens in the background is significantly more complex and helps to ensure the confidentiality of information passed between the user and the site. The user is often notified of the use of SSL on a site by the tell-tale padlock that shows up in their browser tool bar (this varies from browser to browser). This padlock can be opened (usually by a double-click) to see details about the certificate that the site is using to communicate with the user.
EXAMPLE
Let's walk through this and explain exactly what happens when you visit an SSL secured site and enter your credentials:
- I am going to check my bank account for the balance using their online Web service. My bank account's URL is http://www.mybank.com. I open a Web browser and type in my banks URL. At this point, it opens my bank's Web site and is still just using the http:// protocol, so all the information I have exchanged with the site up to this point is unprotected and available for the less-than-scrupulous to gather and look at.
- Once on their site, I click on the hyperlink on their homepage to enter the area where I can input my username and password to login to my account. This hyperlink is https://www.mybank.com/accounts, and since the URL includes the https:// protocol, as soon as I click it, a couple of things happen:
The Web browser I am using and the server both notice that the protocol has changed from http:// to https://; the server tells my browser "this is who I am" and provides a special digital signature for my browser to use to check on a couple of key pieces of information:
Is the server that I am talking to actually www.mybank.com?
Has the certificate for www.mybank.com expired?
Does my browser trust the Certificate Authority that issued the certificate to the www.mybank.com site?
Once everything checks out, my browser and the site exchange "keys" that allow us to talk back and forth in an encrypted manner to ensure that the site, in that session, is the only thing that can read the information we pass back and forth.
- I now enter my username and password and check my bank balance knowing that information that I enter and that the site sends back to me is only viewable by me at that specific time.