Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>

[[ 🗃 ^yEzqv rel4tion-wiki ]] :: [📥 Inbox] [📤 Outbox] [🐤 Followers] [🤝 Collaborators] [🛠 Commits]

Clone

HTTPS: git clone https://vervis.peers.community/repos/yEzqv

SSH: git clone USERNAME@vervis.peers.community:yEzqv

Branches

Tags

master :: maint / admin / ca / tinyca / Introduction /

How_SSL_Works.mdwn

Without a security layer, the communication between the client and the server of a web service is not encrypted. Third parties such as your [[!wikipedia ISP]] can read what you send and receive. It is also not authenticated: Someone can pretend to be the server you’re looking for, and you may end up giving your private details, such as passwords and bank account numbers, to someone with bad intentions!

Therefore, a secure connection, e.g. between a web browser and a web server, should have these two properties:

  1. Encrypted: Nobody can read the data while it’s sent through the network
  2. Authenticated: Nobody can use a fake identity to trick you into believing you see the website you want, while you actually see a copy of it made by someone else.

SSL can provide this security. Although it’s not perfect when used as is (see next section), combining it with your own CA and Monkeysphere support helps fix the weaknesses and launch secure web services.

You can read more about it in [[!wikipedia SSL desc=“Wikipedia”]].

The idea is as follows.

The web service holds a private key, which is kept in a secure location and must not be stolen. The key is a way for the web service to prove it’s really it, i.e. allow others to verify its identity. If someone else got the key, the service’s security could thus be compromised.

The client holds a public certificate. When connecting to the web service, it uses the certificate to identify the service (the service uses its private key for this process, but doesn’t send it as-is to the client) and make sure the service is “trusted”, i.e. its certificate is installed on the client machine. Web browsers usually come with a preinstalled collection of such certificates. To be more precise, they hold the root certificates of the CAs, and not the certificates of the web services themselves.

After authentication, the communication moves to a secure, i.e. encrypted channel.

Actually, it’s possible to have the encryption even without authentication: If the web browser can’t authenticate the server, it can use the encryption anyway, and warn you that the website’s SSL certificate is not trusted. Some browsers just display a small icon indicating this, while others show you a warning message.

[See repo JSON]