Skip to content 
SSL (Secure Socket Layer) is the specification of a technology, through the application of which the transfer of Data is secured on the Internet. The data to be transmitted is encrypted on the basis of the HTTPS protocol and thus protected against spying by third parties. The encryption is supplemented by the requirement for authentication of the communication participants. The term SSL has now been replaced by TLS (Transport Layer Security). Only the name has changed. The underlying technology has remained the same and some software packages and libraries still have SSL in their names for historical reasons, although they are based on TLS, which has since been further developed.
From SSL to TLS - similarities and differences
The widely implemented technology, generally known by the abbreviation SSL, is today continued and developed under the name TLS. The basic concepts of the technology have not changed. It is still the use of HTTPS as a hybrid encryption protocol, the last version of which as SSL protocol was Vers. 3.0. It was then further developed and standardized as the TLS protocol, starting in Vers. 1.0. In general language use, the two terms are often used synonymously, although the verse number should be noted. For example, SSL 1.0 does not correspond to TSL 1.0. In the present presentation, the abbreviation SSL is used because it has the higher degree of familiarity and it is still common to speak of SSL today, even when it comes to TLS technology. The basic concepts are presented, which are identical for both SSL and TSL. However, for specific uses there are different implementations with different names, such as OpenSSL, GnuTLS, and LibreSSL.
Cryptography and identity verification - the SSL functional principle
The functional principle of the Secure Socket Layer or Transport Layer Security is two-part. In addition to the encryption of data, it is also based on the use of authentication. The use of SSL is widespread and often used for the secure retrieval of confidential data from and the secure transmission of confidential data to an HTTP server (web server). The authenticity of the dialed server is verified by a Certificate is guaranteed and the connection between server and client is encrypted. Since SSL is extremely popular today, it has almost become a standard for supplementing application protocols with which a secure connection cannot be realized by encryption alone.
Certification and authentication
The certification and authentication before the start of a data transmission via an SSL connection is divided into the following processing steps:
- Certification of the public key takes place once
On request, the server receives a certification from a certification and validation authority.
- Authentication of the server
The connection between client and server is established by an SSL request from the client and the server authenticates itself with its certificate.
- Validation of the transmitted certificate
The client has the certificate received from the server checked by the certification and validation authority.
- encrypted data transmission
If the identity of the server is clearly identifiable on the basis of the validated certificate, the transmission of the encrypted data begins.
Encrypting and decrypting
The encryption and decryption of the SSL protocol is based on a digital key pair consisting of a public key and a private key. Both keys are different. The sender (client) receives the public key from the receiver (server) after the receiver has authenticated himself with his certificate. This procedure is called "asymmetrical encryption" or "public key procedure". The sender then uses the public key to encrypt the data that he sends to the receiver. After encryption, the data can no longer be decrypted with the public key, but only with the matching private key of the server, which must therefore keep it secret in any case.
The certificates
Both SSL and TLS work with so-called PKIX certificates, which means "Public Key Infrastructure according to X.509v3". There are three types of certificates, where the effort of verification during certification is different and therefore a different secure authenticity level is guaranteed:
- The Domain Validated Certificate (DV-SSL) is the cheapest certificate. The domain is only validated by E-mail validated and the certificate is usually issued after a few minutes.
- The Organisation Validation Certificate (OV-SSL) increases the trustworthiness of the domain by fully verifying the company/operator.
- The Extended Validation Certificate (EV SSL) is based on the highest level of validation and is common in the banking sector, among other things.
The limitations of SSL/TLS
Only the transmission of data is secured by the SSL protocol. What happens to the recipient is beyond the scope of the SSL protocol.
