When you open any website, the browser tells you that something is “Not protected.” Some people think that such pages are fulfilled with viruses and that staying on them is dangerous. In fact, it`s not so bad as you think – the website simply does not have an SSL Certificate. We are going to find out what kind of technology is this SSL and why it is not as simple as it seems
What is SSL Certificate
Technical Explanation about SSL and HTTPS
The standard protocol for transmitting data on the web, which has been used since 1992, is HTTP. This protocol sets the rules by which users request sites, and servers give these sites. The protocol is just an agreement: “Pass the page title like this, text like that, ask for the password like that.” The protocol can be anything inside, the main thing is that everyone agrees to use it.
The disadvantage of the HTTP protocol is that it transmits data in clear text. If you enter the card data on a site with HTTP, then they will fly unencrypted over the communication channels. An attacker can intercept and read them – it’s enough, for example, to just “listen” to all the traffic on the wireless network.
HTTP is a fast but insecure protocol. It is difficult to blame it: when it was created, no one thought that credit card information would be entered on the sites. They thought they would exchange the results of scientific research.
To solve the problem of unencrypted data, in 2000 they came up with HTTPS – HyperText Transfer Protocol Secure, a secure hypertext transfer protocol. Inside it works like regular HTTP, but outside it encrypts all its traffic. Even if someone wedges in the middle, he will see only a code that cannot be disassembled.
For encrypting pages in HTTPS, the SSL protocol is Secure Sockets Layer, a level of secure sockets. Sockets are virtual connections between computers. A secure socket means that the data that flows internally from one computer to another is safe. If the browser opens the page with information about how does tor work, using this protocol, then before sending to the server it encrypts everything that you do or enter on the site. The very thing is if you need to send payment card data or login with a password from the service.
In fact, since about 2014, instead of SSL, they use TLS, which was conceived as an update to SSL 3.0. The fact is that in 2014 they discovered a vulnerability in the SSL protocol, which allows you to decrypt all data. TLS does not specifically have this vulnerability (but there are probably others), so everyone smoothly switched to it, but because of old memory and habit, they call everything an SSL connection and SSL certificates.
How SSL Protocol Works
- After entering the address, the browser goes to the desired server and requests a page from it via HTTPS. If the pages work with HTTPS, then everything is fine, go to step 2.
If the server still uses the old HTTP protocol, then it will give the browser a page using this insecure protocol and there will be no further encryption. - The server sends a copy of its SSL certificate to the browser so that the browser makes sure that everything is in order. In such a certificate it is written what kind of domain it is, who issued the certificate and information about the owner.
- The browser verifies the authenticity of the certificate and, if all is well, sends back its public key for SSL encryption. If it’s not yet clear what a public key is, a little patience is already being prepared.
- The server encrypts the page with the received key and sends it to the browser.
- The browser decrypts the page, shows it to the user, and tells the server that everything is in order, we are working on. From now on, all data is encrypted and you can send anything to the server.
What About Regular Sites Without Certificates?
If the site does not have a certificate, this does not mean that the site is bad. This means that the data that you will enter there is transmitted in the clear. That means they are easier to intercept. If you do not fill out anything on the site or leave a comment without registering, nothing terrible will happen and you don`t need to ask yourself what does facebook know about me.
There are many sites that do not use certificates and do not ask for anything from users – business card sites, corporate pages and information portals.
Some believe that if there is no secure connection, then hackers will immediately attack you or infect with malwares, but this is not true. The virus can be picked up even on a site with an SSL certificate, if the domain owner puts it there.
How to Get SSL Certificates?
This is not just a 5 minute question, but in some cases also a free operation. Nowadays you can automatically obtain a certificate for any new site, even if you have a fraudulent site. To do this, it is enough to have administrator access to your site.
What’s Wrong with SSL Security
The lock icon and the inscription “Protected” means only that the browser has established a secure connection with the server. If someone tries to intercept traffic, then he still will not be able to decrypt it. But if an attacker puts an SSL certificate on his site and accepts information about payment cards, then they will fall into his hands.
No one can stop a criminal from receiving a certificate, installing it on their website and pretending that this is a safe page. An SSL certificate guarantees secure data transfer, but is not responsible for where it is sent. Therefore, before entering sensitive information on the site, make sure that the site belongs to the right company. Sometimes it happens like this: attackers change one letter in the site address, get a certificate and make exactly the same design as in the original. Someone comes to such a site for purchases, enters the card details and … you know. Be careful.