Designed for screen resolutions of 1024x768 pixels or higher.

What is an SSL/TLS certificate?

Security certificates and the small difference between http and https

To explain the title: SSL is the short version of "Secure Socket Layer" and describes a security protocol underlying the communication between a web server (my page) and the client accessing it (you). Nowadays, using updated encryption standards, this system is continued under the acronym TLS which stands for "Transport Layer Security. The name change simple reflects the evolution of the implementation, as TLS 1.0 actually means SSL 3.1.

But lets start at the beginning: Back in summer '09 I noticed that I had the option to freely upgrade one of my web domains to a GeoTrust certified website - usually such a certificate may cost up to several hundred dollars a year. This means that a certain security and account holding company, which takes the responsibility of caring for valid address data of the website owner, issues a certificate for a web domain. The certificate is then installed on the webserver and allows to identify this website uniquely. If the certificate is somehow stolen and installed on another domain, it is easily identified as not belonging to the page. If you click on the GeoTrust logo further down this page, a popup page appears and gives you some limited information on the certificate. Note that the shown logo image is NOT hosted on my server, but is automatically generated by a GeoTrust hosted JavaScript which checks that this is indeed the domain specified in the certificate.

But what are the actual benefits of such a certificate for the user? Certainly such a logo and the certificate information can be easily faked if someone wanted to steal some of your more important information. However, using a SSL certificate also allows for encrypted communication between the webserver and the client, and this is what is actually interesting for the enduser. For example, if you do some online banking, your bank login most likely uses a SSL/TLS-secured login page, which means that your account number and whatever other login information you have to supply (password etc.) are encrypted before the actual data transfer from your computer to the server takes place. You can easily spot a secured connection by taking a look at the address bar of your internet browser. If it starts with "http" (which is the short version of "Hypertext Transport Protocol") your connection is unencrypted, i.e. if someone manages to monitor you communication with the webserver, all the transfered data (HTML pages, images, etc.) come as plain data packages. On the other hand, if the web address starts with "https" your connected is secured and all the data is encrypted.

The obvious question is: Why does not every website encrypt all their communications data by default? The simple answer is: Because of limited computing time. Using an encrypted connection usually triples or quadruples the workload that the server has to spend on showing a page. And for most pages this additional effort is really not neccessary, as they contain only non-vital data. But if you take a look at your bank account, it should be obvious, that such a connection should be encrypted to avoid unwanted guest taking a look at your financial status. The same holds true for your email account, which also uses a SSL/TLS encrypted connection in most cases. However, with the immensely fast growing power of modern processors, more and more encryption takes places in out day-to-day online activities.

Basic encryption 1-0-1

So how does the encrypted communication actually work in detail? First we have to look a little bit on encryption algorithms in general, where we can distinguish between asymmetrical and symmetrical ones. Asymmetrical encryption means that there are two different keys for encryption and decryption of the data. For the symmetrical algorithms both keys are the same, i.e. in order to decrypt a message the same key is used as in the encryption process. So if you use an asymmetrical encryption algorithm, you can make your encryption key public, but keep the decryption key to yourself. Anyone willing to send you a message now just takes your public encryption key, but only you are able to decrypt and read the message. If both ends of a communication line use this approach, the encryption is completely secure. The most widely used asymmetrical implementation is the RSA algorithm, which relies on the mathematical problem of factorizing huge numbers into its prime factors (decomposing a number of about 1000 digits into its prime factors requires extremely much computing power - but given two large prime numbers, computing their product comes almost for free).

Naturally, the asymmetrical approach seems to hold lots of advantages... but those come at a huge price. Asymmetrical data encryption and decryption requires several orders of magnitude more computing power to provide the same level of security that a comparable symmetrical algorithm has. For example, some estimates say that you require a RSA-15360 encryption to provide the same level of security that AES-256 has. AES, which stands for "Advanced Encryption Standard", is nowadays the most widely used symmetrical algorithm. According to NSA estimates, using an 192 bit key is still sufficient even for top secret material, but most people use 256 bit keys anyways because the difference in computing time is neglectable.

So in practice, when you are connected to a SSL secured website (or your eMail account for example), both methods are used. First your computer and the webserver both exchange their public asymmetrical encryption keys. Then using the asymmetrical encryption, both systems exchange a randomly generated encryption/decryption key used for the further information exchange using a symmetrical algorithm. Therefore, the slow asymmetrical encryption is only used to exchange the keys for the subsequently used symmetrical algorithm, which then handles the encryption of the actual website data. Every few minutes the webserver and client agree to a new symmetrical key. Rest assured that the unwanted decryption of your information by a data thief becomes absolutely impossible in the foreseeable future. As far as I know, even the latest theoretically described attack on AES-256 still would take 2^110 computational steps, which even using the worlds biggest supercomputers takes eons to complete...

To verify this domain / website please click on the seal:

Please note: The GeoTrust verification requires an activated JavaScript functionality in your internet browser. If you see this message, JavaScript support is most likely deactivated and the dynamically generated GeoTrust seal may not appear or function properly.