Intro to SSL
What is SSL?
Secure Sockets Layer (SSL) is a technology which encrypts traffic between the client application and the server application involved in the conversation. This encryption is accomplished by making use of a public key/private key system using an SSL certificate.
The SSL certificate contains the server’s public key, dates for which the certificate is valid, a hostname for which the certificate is valid and a signature from the Certification Authority which issued it. With this information and some protocol information exchanged during the beginning of a session the client can be reasonably certain that the server is the one to which it is intending to talk.
He said what?
As with everything else in Information Technology SSL certificates have their own terminology. Here is a small glossary for some of the terms you will encounter while dealing with SSL certificates.
Bit size: Encryption keys are measured by their size in bits. For example 512 bit, 1024 bit, 2048 bit. Generally a longer key is going to be safer but probably slower to use. At this time the minimum size for the keys used in SSL certificates is 1024 bit, though the Extended Validation certificates require 2048 bit.
Certificate Chain: SSL certificates are not generally used alone. In most implementations you will actually be dealing with a certificate chain. For example:
Root > intermediate1 > server cert.
> Intermediate2 > server2 cert
In this example your server certificate is signed by the intermediate certificate which is in turn signed by the root certificate. Chaining in this fashion can make SSL more secure because it means that the root certificate is not used (and thus exposed to risk) so often. If intermediate1 was compromised then server cert could be in danger but server2 cert would be fine because they are part of different chains.
Certificate Signing Request: the CSR is a document you generate on the server which contains information that the Certification Authority uses to create your actual certificate.
Common Name: the Common Name (CN) is the hostname for which the certificate is valid (for example, www.domain.com). It should be noted that www.domain.com, smtp.domain.com and mail.domain.com are three completely different hostnames and the same SSL certificate is not valid for all three of them (unless you are using a wildcard certificate but at this time we do not offer those).
Private/Public Key: SSL makes use of a technique called public key cryptography. In this form of crypto you have two keys, the public and the private. The public key is distributed far and wide. No one sees your private key. People who wish to communicate securely with you encrypt their communication using YOUR public key. Public key cryptography is based upon the assertion that bits encrypted with a given public key can only be decrypted using the corresponding private key and vice versa.
Root certificate: The SSL root certificates are certificates which have signed themselves and which have been presented to the world by their respective Certification Authorities as the top of their chain. You will find root certificates for the major players already installed in the certificate store for your web browser. This allows your browser to trust those certificates and forms the beginnings of the chain of trust leading ultimately to the certificate you install on your server.
Signature: SSL certificates have a digital signature placed upon them by the Certification Authority. It is this signature which, when traced back to a trusted root certificate, confirms the authenticity of the certificate.
Why use SSL?
The core technologies that drive today’s Web 2.0 fancy integrated world were originally conceived back when the Internet was a much nicer place. You literally knew, either personally or by professional reputation, most of the people with whom you interacted. Security was not as big a deal because we were just sharing research papers and swapping simple e-mails.
Now you are taking orders for services costing hundreds of dollars and paid for with credit cards. While your customer is placing their order you might be on the website for your doctor’s office checking out your latest blood work results and typing up a corporate strategy e-mail in your webmail application. The data is still just bits to the Internet but to you the bits are a bit more sensitive than the old research papers. SSL allows the bits to travel from browser to server and back again using a secured transmission tunnel to combat eavesdropping. Because SSL certificates are signed by trusted root authorities (generally already configured into your browser) it is also possible to verify identity for the site providing the certificate. The amount of verification depends on the style of SSL certificate involved.
SSL at SoftLayer
At SoftLayer we resell three types of SSL certificates: Domain Validation, Organization Validation and Extended Validation. Domain validation (DV) certificates are inexpensive and available quickly. The validation done by the Certification Authority is limited to sending an e-mail to a specified e-mail address at the domain in question and getting a positive reply back. Organization Validation and Extended Validation certificates take a couple of days (sometimes a week), cost more and result in deeper checks by the Certification Authority. The EV certificates are coded in such a way that modern browsers recognize them as EV and will typically display a green bar as part of the address bar. The green bar is being marketed as another way users can check to see if the site with which they are communicating is the site they intend. SSL certificates, like other services here, can be managed through the customer portal. If you go to the Security menu you will see an SSL certificates option at the bottom where certificates can be ordered and managed. Note that an SSL certificate ordered via SoftLayer does not have to be used on a SoftLayer server. In the same fashion, certificates ordered elsewhere can be used on your servers hosted here.
SSL certificates bring value to your online presence by enhancing the actual security of the transactions taking place and also by giving your users a feeling of security. As with any security technology SSL certificates is only part of the equation. Daemon security, physical security, coding practices and certificate handling all combine to form the overall security profile of the solution.