- A client uses a Web browser to contact a Web server that hosts a secured URL.
- The Web server responds to the client's request and sends the server's digital certificate to the Web browser. The X.509 certificate is the most commonly used type.
- The client now verifies that the certificate is valid and correct. Certificates are issued by known authorities such as Thawte or Verisign. This step is important because the certificate authenticates the Web server's organization as legitimate.
- Once the certificate is validated, the client generates a one-time session key, which will be used to encrypt all communication with the Web server.
- The client now encrypts the session key with the Web server's public key, which was transmitted with the digital certificate. Using the Web server's session key ensures that only the Web server can decrypt the data.
- At this point, a secure session is established, and both parties can communicate via a secure channel.
Layer 6 threats
We can place a high level of confidence in SSL and TLS, but threats do exist. Two of the most likely can be categorized as fake certificate attacks and man-in-the-middle attacks. Fake certificate attacks require the attacker to provide the client with a fake certificate. Clients should notice this attack -- they will receive a pop-up dialog warning about a problem with the certificate. The certificate is very similar to a real certificate, except that it is not signed by a trusted certification authority. Man-in-the-middle attacks are difficult because the attacker must intercept communication between the client and server. The attacker then replaces the legitimate keys with his own.
Although these attacks against SSL are possible, a far greater threat comes from businesses that have decided to use no encryption at all and simply pass their customers information in clear text. All things considered, protocols such as SSL and TLS have proven themselves to be very competent. This is witnessed by the millions upon millions of secure exchanges that occur each day. If this discussion of SSL has sparked your interest to learn more about this technology, you may want check out Stunnel. Stunnel is designed to encrypt arbitrary TCP connections inside SSL.
About the author:
Michael Gregg has more than 15 years of experience in IT. He is the president of Superior Solutions Inc., a Houston-based training and consulting firm, and an expert on networking, security and Internet technologies. Michael holds two associate degrees, a bachelor's degree and a master's degree. He currently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.
This was first published in February 2007