The Secure Sockets Layer protocol, or SSL, sits between the application-level protocol (in this case HTTP) and the low-level transport protocol (for the Internet, almost exclusively TCP/IP). It handles the details of security management using public key cryptography to encrypt all client/server communication. SSL was introduced by Netscape with Netscape Navigator 1. It has since become the de facto standard for secure online communications and forms the basis of the Transport Layer Security (TLS) protocol currently under development by the Internet Engineering Task Force. For more information on TLS, see http://www.ietf.org/.
SSL Version 2.0, the version first to gain widespread acceptance, includes support for server certificates only. It provides authentication of the server, confidentiality, and integrity. Here’s how it works:
A user connects to a secure site using the HTTPS (HTTP plus SSL) protocol. (You can detect sites using the HTTPS protocol because their URLs begin with https: instead of http:.)
The server signs its public key with its private key and sends it back to the browser.
The browser uses the server’s public key to verify that the same person who signed the key actually owns it.
The browser checks to see whether a trusted certificate authority signed the key. If one didn’t, the browser asks the user if the key can be trusted and proceeds as directed.
The client generates a symmetric ( DES) key for the session, which is encrypted with ...