How SSL Works

When a Web browser tries to connect to a website using SSL, the browser will first request the web server identify

itself. This prompts the web server to send the browser a copy of the SSL Certificate. The browser checks to see if

the SSL Certificate is trusted --  if the SSL Certificate is trusted, then the browser sends a message to the Web

server. The server then responds to the browser with a digitally signed acknowledgement to start an

SSLencrypted session. This allows encrypted data to be shared between the browser and the server. You may notice

that your browsing session now starts with https (and not http).

Secure HTTP (S-HTTP)

Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Whereas SSL

creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-

HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, can be seen as

complementary rather than competing technologies. Both protocols were approved by the Internet Engineering Task

Force (IETF) as a standard.

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a
web server and a browser. This link ensures that all data passed between the web server and browsers
remain private and integral. SSL is an industry standard and is used by millions of websites in the protection
of their online transactions with their customers.

To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to
activate SSL on your web server you will be prompted to complete a number of questions about the identity
of your website and your company. Your web server then creates two cryptographic keys - a Private Key and
a Public Key.

The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file
also containing your details. You should then submit the CSR. During the SSL Certificate application process,
the Certification Authority will validate your details and issue an SSL Certificate containing your details and
allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your
web server will then be able to establish an encrypted link between the website and your customer's web
browser.

The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide
them with a key indicator to let them know they are currently protected by an SSL encrypted session - the
lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the
details about it. All SSL Certificates are issued to either companies or legally accountable individuals.

Typically an SSL Certificate will contain your domain name, your company name, your address, your city,
your state and your country. It will also contain the expiration date of the Certificate and details of the
Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure
site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a
Certification Authority the browser trusts, and that it is being used by the website for which it has been
issued. If it fails on any one of these checks the browser will display a warning to the end user letting them
know that the site is not secured by SSL.

Be sure to visit SSLTools.com for some great services and tools to assist in your implementation of ssl on
your site or if you want to examine the ssl certificates of other websites.

Secure Sockets Layer (SSL): How It Works

What Happens When a Browser Encounters SSL

A browser attempts to connect to a website secured with SSL.

The browser requests that the web server identify itself.

The server sends the browser a copy of its SSL Certificate.

The browser checks whether it trusts the SSL Certificate. If so, it sends a message to the server.

The server sends back a digitally signed acknowledgement to start an SSL encrypted session.

Encrypted data is shared between the browser and the server and https appears.

Encryption Protects Data During Transmission

Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to help users protect their
data during transfer by creating a uniquely encrypted channel for private communications over the public
Internet. Each SSL Certificate consists of a key pair as well as verified identification information. When a
web browser (or client) points to a secured website, the server shares the public key with the client to
establish an encryption method and a unique session key. The client confirms that it recognizes and trusts
the issuer of the SSL Certificate. This process is known as the "SSL handshake" and it begins a secure
session that protects message privacy, message integrity, and server security.

Credentials Establish Identity Online

Credentials for establishing identity are common: a driver's license, a passport, a company badge. SSL
Certificates are credentials for the online world, uniquely issued to a specific domain and web server and
authenticated by the SSL Certificate provider. When a browser connects to a server, the server sends the
identification information to the browser.

To view a websites' credentials:

Click the closed padlock in a browser window

Click the trust mark (such as a Norton Secured Seal)

Look in the green address bar triggered by an Extended Validation (EV) SSL
Authentication Generates Trust in Credentials

Trust of a credential depends on confidence in the credential issuer, because the issuer vouches for the
credential's authenticity. Certification Authorities use a variety of authentication methods to verify
information provided by organizations. Symantec, the leading Certification Authority, is well known and
trusted by browser vendors because of our rigorous authentication methods and highly reliable
infrastructure. Browsers extend that trust to SSL Certificates issued by Symantec.

Extend Protection beyond HTTPS

Symantec SSL Certificates offer more services to protect your site and grow your online business. Our
combination of SSL, vulnerability assessment and daily website malware scanning helps you provide site
visitors with a safer online experience and extend server security beyond https to your public-facing web
pages. The Norton Secured Seal and Symantec Seal-in-Search technology help assure your customers that
your site is safe from search to browse to buy.

To learn more about how SSL certificates work and the benefits of implementing SSL on your website, visit
our "SSL Explained" interactive resource.