Secure Sockets Layer (SSL): How It Works

What Happens When a Browser Encounters SSL

  1. A browser attempts to connect to a website secured with SSL.
  2. The browser requests that the web server identify itself.
  3. The server sends the browser a copy of its SSL Certificate.
  4. The browser checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
  5. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  6. Encrypted data is shared between the browser and the server and https appears.

Encryption Protects Data During Transmission

Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to help users protect their data during transfer by creating a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a key pair as well as verified identification information. When a web browser (or client) points to a secured website, the server shares the public key with the client to establish an encryption method and a unique session key. The client confirms that it recognizes and trusts the issuer of the SSL Certificate. This process is known as the “SSL handshake” and it begins a secure session that protects message privacy, message integrity, and server security.

Credentials Establish Identity Online

Credentials for establishing identity are common: a driver’s license, a passport, a company badge. SSL Certificates are credentials for the online world, uniquely issued to a specific domain and web server and authenticated by the SSL Certificate provider. When a browser connects to a server, the server sends the identification information to the browser.

To view a websites’ credentials:

  • Click the closed padlock in a browser window
  • Click the trust mark (such as a Norton Secured Seal)
  • Look in the green address bar triggered by an Extended Validation (EV) SSL

Authentication Generates Trust in Credentials

Trust of a credential depends on confidence in the credential issuer, because the issuer vouches for the credential’s authenticity.Certification Authorities use a variety of authentication methods to verify information provided by organizations. Symantec, the leading Certification Authority, is well known and trusted by browser vendors because of our rigorous authentication methods and highly reliable infrastructure. Browsers extend that trust to SSL Certificates issued by Symantec.

Extend Protection beyond HTTPS

Symantec SSL Certificates offer more services to protect your site and grow your online business. Our combination of SSL, vulnerability assessment and daily website malware scanning helps you provide site visitors with a safer online experience and extend server security beyond https to your public-facing web pages. The Norton Secured Seal and Symantec Seal-in-Search technology help assure your customers that your site is safe from search to browse to buy.

How HTTPS Means Security

Hypertext Transfer Protocol Secure, or HTTPS, is the layering of Secure Socket Layer (SSL)/Transport Layer Security (TLS) and HTTP protocols to create secure communication.
HTTPS indicates that the website has been authenticated by a third party Certification Authority (CA), and that the organization operating the website is who they claim to be. HTTPS is a visual indication that information is being exchanged for the session in a more secure way.
HTTPS appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on either the lock symbol on the browser bar or the Norton Secured Seal posted on the page.
Websites that display HTTPS in the URL and include the green bar are secured by Extended Validation, the most stringently validated form of SSL. These websites go through the most industry mandated rigorous authentication procedures.
Another important step towards ensuring a user is protected as they view a website is having the site completely hosted over HTTPS, including all the content, images, and links. If not all of the web pages are loaded over HTTPS, the user can be susceptible to session hijack.

Can I secure multiple servers with a single certificate?

  • Sharing certificates on multiple servers increases risk of exposure.
  • Auditing becomes more complex, reducing accountability and control. If a private key becomes compromised, it can be difficult to trace and all servers sharing that certificate are at risk.
  • Because sharing certificates degrades security, the Symantec certificate subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased additional server licenses.
  • Symantec’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators

How long does verification take?

Authentication for new certificates could take as little as 1 hour or up to several days, depending on the verification information you provide and whether or not your certificates are pre-approved.
  • If your organization is the legal holder of the domain, you can expect to receive your certificate within 1 hour of your request.
  • Symantec® Trust Center Enterprise Account stores pre-approved domain, organizational and contact information. When you submit a certificate request that contains the authenticated information, Symantec instantly issue your certificate.
  • Processing times for EV SSL Certificates may take longer due to additional verification requirements mandated by the Extended Validation (EV) SSL Guidelines

What does Symantec do to verify my right to use a domain name?

  • Symantec first tries to authenticate your company’s management responsibility through publicly available domain name registration information.
  • If we cannot automatically authenticate your domain name control, we require an authorization letter from that domain’s owner.
  • This step prevents applicants from fraudulently or accidentally obtaining SSL Certificates for domains that do not belong to them.

Only SSL Certificates with EV trigger high-security Web browsers to display your organization’s name in a green address bar and show the name of the Certificate Authority that issued it.

What information does Symantec require to verify my business identity?

When you request an SSL Certificate, Symantec verifies the existence of your business, the ownership of your domain name, and your employment status or authority to request the SSL Certificate.

We may require official government documentation proving your right to do business. These may include:

  • Articles of Incorporation
  • Certificate of Formation
  • Charter Documents
  • Business License
  • Doing Business As
  • Registration of Trade Name
  • Partnership Papers
  • Fictitious Name Statement
  • Vendor/Reseller/Merchant License
  • Merchant certificate

Our authentication and verification procedures are based on more than 15 years of practice authenticating commercial businesses.

These procedures are audited annually by KPMG using Statement of Auditing Standard 70 Type II, established by the American Institute of Certified Public Accountants.

How do consumers view the authentication information?

When a browser connects to a server, the server sends the identification information to the browser.

To view a Web sites’ credentials do one of the following:

  • Click the closed padlock in a browser window
  • The most basic SSL Certificate only verifies domain name control, a low-level of authentication that may be used by fraudsters to make their sites appear trusted.
  • Click the trust mark (such as the Symantec Trust™ Seal)
  • Look in the green address bar*

Only SSL Certificates with EV trigger high-security Web browsers to display your organization’s name in a green address bar and show the name of the Certificate Authority that issued it.

Why do different SSL Certificates contain different information?

  • Certificate Authorities use different authentication methods and levels to verify information provided by organizations.
  • The most basic SSL Certificate only verifies domain name control, a low-level of authentication that may be used by fraudsters to make their sites appear trusted.
  • Symantec, the leading Certificate Authority, secures more than one million Web servers worldwide and is well known and trusted because of our rigorous authentication methods and highly reliable infrastructure.
  • Symantec® SSL Certificates are issued with either full business authentication or Extended Validation (EV) authentication.
  • The Symantec Trust Seal verification page also includes the status of your daily malware scan.

What is the Symantec Trust Seal?

The Symantec Trust Seal is a dynamic, animated graphic that displays on Web pages secured by Symantec SSL Certificates and Web sites authenticated by Symantec.

When users click the Symantec seal, it opens a Symantec-generated verification page containing information about your Symantec SSL Certificate, your organization, and the status of your malware scan.

The Symantec seal, the most recognized trust mark on the Internet, is viewed up to 250 million times a day on more than 90,000 Web sites in 160 countries and in search results on enabled browsers as well as partner shopping sites and product review pages.

What is authentication and why is it important to SSL?

Authentication is 3rd party verification of a Web site’s identity to establish trust.

Before Web visitors share username and password, payment information or other personal data, they need to know that they can trust the Web site requesting it.

A company logo or brand name is not enough since these can be faked.

To protect against fraud and phishing sites, Web visitors look for proof that your business entity and Web site are legitimate.

This can be provided by a Symantec SSL Certificate. Similar to the way a government agency verifies a birth date before issuing an identification card, an SSL provider (Certificate Authority) verifies an organization’s right to use a domain name and other required identification information.

SSL Certificates are uniquely issued to a specific domain and Web server.

What are SSL credentials that establish identity online?

SSL Certificates are credentials for the online world, uniquely issued to a specific domain and Web server and authenticated by the SSL Certificate provider. When a browser connects to a server, the server sends the identification information to the browser. To view a web sites’ credentials: Click the closed padlock in a browser window Click the trust mark (such as the Symantec Trust™ Seal) Look in the green address bar* Only SSL Certificates with trigger high-security Web browsers to display your organization’s name in a green address bar.

What is Phishing and how to protect against it

Phishing is the practice of a fraudulent web site imitating an authentic site for the purpose of gathering credit card numbers, identities, or other private information from consumers without their permission. Usually, phishing or fraudulent web sites look just like the real thing.

To distinguish a phishing site from a valid site, customers may look for subtle signs including requests for user name and password.

Where phishing sites often try to scare consumers into submitting their user name and password, a valid site will never scare visitors into providing this information.

How can you tell if a Web Site is Authentic?

Before submitting information or purchasing goods from an online merchant, you need to now that the company you are doing business with is who it claims to be.

While Web sites can buy server certificates from many different, Internet browsers are configured to trust only those server certificates that come from a few highly reputable companies.

When you visit an online business that is secured by Symantec,thawte or Geotrust for example, you can be certain that the site is authentic.

While many consumers and merchants do not fully understand the detailed practices behind Symantec authentication services, they do know to look for the Symantec Secured Seal as evidence that a business is real and that its site is a safe place to shop.

Every authenticated Web business gets the seal along with their certificate solution to increase customers’ confidence in their site.

The Microsoft® Internet Explorer and Netscape® Navigator® browsers have built-in security mechanisms to prevent users from unwittingly submitting their personal information over insecure channels.

If a user tries to submit information to an unsecured site (a site without an authenticated SSL Certificate), the browsers will by default show a warning, which can make the purchase process seem threatening.

What is Authentication and Encryption?

Authentication and Encryption Explained:
Authentication:
  • Some CAs believe that encryption is enough to ensure a secure Web site and to build trust between you and your customers. But in fact, encryption is not enough; it is imperative that your Web site is also authenticated, which will improve Web visitors’ trust in you and your Web site. Authentication means that a trusted authority can prove that you are who you say you are. To prove that your business is authentic, your Web site needs to be secured by best-of-breed encryption technology and authentication practices.

Encryption:

  • The Web presents a unique set of trust issues, which businesses must address at the outset to minimize risk. Customers submit information and purchase goods or services via the Web only when they are confident that their personal information, such as credit card numbers and financial data, is secure. The solution for businesses that are serious about e-commerce is to implement a complete e-commerce trust infrastructure based on encryption technology. Encryption, the process of transforming information to make it unintelligible to all but the intended recipient, forms the basis of data integrity and privacy necessary for e-commerce.

Do all SSL Certificates provide the same security and trust for our business?

  • Symantec SSL Certificates provide more security and trust at no additional cost.
  • Our premium SSL Certificate, the Symantec Trust Seal, Symantec Seal-in-Search technology, and daily Web site malware scanning work together to help assure your customers that your site is safe from search to browse to buy.
  • Seal-in-Search displays the Symantec Trust Seal next to your link on browsers enabled with a free plug-in as well as on partner shopping sites and product review pages.
  • The seal differentiates your link in search and shows that malicious code has not been detected in a daily malware scan.

Different types of SSL Certificates?

Different types of SSL Certificates

 

Domain Validated Certificate:

  • Considered an entry-level SSL Certificate and can be issued quickly.
  • The only verification check performed is to ensure that the applicant owns the domain (web site address) where they plan to use the certificate.
  • No additional checks are done to ensure that the owner of the domain is a valid business entity.

Fully authenticated SSL Certificate:

  • The first step to true online security and confidence building.
  • Taking slightly longer to issue, these certificates are only granted once the organization passes a number of validation procedures and checks to confirm the existence of the business, the ownership of the domain, and the user’s authority to apply for the certificate.

Extended Validation (EV) SSL Certificates:

  • EV Certifctates offer the highest industry standard for authentication and provide the best level of customer trust available.
  • When consumers visit a web site secured with an EV SSL Certificate, the address bar turns green (in high-security browsers) and a special field appears with the name of the legitimate web site owner along with the name of the security provider that issued the EV SSL Certificate.
  • It also displays the name of the certificate holder and issuing CA in the address bar.
  • This visual reassurance has helped increase consumer confidence in e-commerce.

Code Signing Certificates:

  • Are Certificates specifically designed to ensure that the software you have downloaded was not tampered with while en route.
  • There are many cyber criminals who tamper with software available on the Internet.
  • They may attach a virus or other malicious software to an innocent package as it is being downloaded.
  • These certificates make sure that this doesn’t happen.

When do I need SSL?

0Need for SSL:

  • You have an online store or accept online orders and credit cards.
  • You offer a login or sign in on your site.
  • You process sensitive data such as address, birth date, license, or id numbers.
  • You process sensitive data such as address, birth date, license, or id numbers.
  • You value privacy and expect others to trust you.