Secure Sockets Layer (abbreviated SSL) is a cryptography protocol designed by Netscape to make it possible to transmit private documents and information securely over the Internet. The use of some form of SSL or TLS is standard for Internet ecommerce transactions so that customer’s payment information and other personal data can be secured. The system is somewhat complex, but the complexity is not exposed to the customer, for whom the system is made to appear straightforward and simple. From the customer’s perspective, the https abbreviation, the green address bar, the lock icon, and site seals signal the use of SSL.
Development of Secure Sockets Layer began with SSL version 1.0, which was not released to the public. The version that was publicly released, 2.0, came out in 1995, but numerous security flaws led to the speedy development of version 3.0, which debuted in 1996.
At this point, a branch of development that continues to the present was started based on SSL 3.0. It is referred to as Transport Layer Security by some and SSL by others, leading to a certain amount of confusion for those who don’t know the system’s history. TLS version 1.0 was an upgrade to SSL 3.0 that was first defined in a Request For Comments (RFC) document in January, 1999, and is also called SSL 3.1. It has a different development group than SSL, having been developed by the Internet Engineering Task Force, rather than Netscape. TLS 1.1 was defined in April, 2006, and is also known as SSL 3.2. TLS 1.2 was defined in August, 2008, and is also known as SSL 3.3.
Both SSL and TLS use asymmetric cryptography, also called Public-Key Encryption or Public-Key Cryptography (PKC). This method employs two keys so that decryption is done with a different key than encryption. Digital certificates have been used to further secure the asymmetric cryptography system.
SSL certificates are sold and authenticated by Certification Authorities (CAs). Some of the best-known CA’s include VeriSign, Thawte, Network Solutions, GeoTrust, andGoDaddy. Certfication Authorities may operate through resellers. Certificates may be free, shared, and dedicated. Dedicated certificates are likely to be the most secure. Wild card certificates are shared certificates for websites that operate on a subdomain of the web host and this, as well as other shared certificates, are available directly through web hosting plans.
In addition to the security level provided by the type of certificate, the authentication can be more or less thorough, ranging from domain validation, which involves matching the applicant’s information to the WHOIS database, to organizational validation, in which both the physical address and web address of the applicant are checked fro accuracy to extended validation (EV), in which a far-reaching analysis is done and applicants who pass are rewarded with the display of the green address bar.