How do we keep our communication private?
I have a secret to tell. Lean in so I can whisper in your ear so no one else can hear …
We all have “secrets” that we communicate over the internet all the time. Credit Card numbers, passwords, social security numbers, and chat sessions are all examples. In today’s world, for the most part our secret communications are secure if you’re taking the right precautions. This wasn’t always the case.Now let’s go back. Way back in internet time to 1994.
Internet communication in 1994 was the equivalent of whispering a secret in someone’s ear only to realize that the whole room could overhear your conversation. Obviously this wasn’t ideal. Leading minds of the time knew this had to be fixed to facilitate the growth of the internet.
Netscape Communications dominated the internet world in 1994. Do you remember them? Their iconic, innovative web site browser controlled the market with an 80% plus share.
Netscape had a problem. Hackers could way too easily “listen” to communications via their browsers and over the internet. This issue was eroding the confidence of web surfers who were loathe to transact any type of commerce over the internet.
How could the hackers listen in? Well, let’s do a quick high-level review of how messages are sent over the internet.
Networks at the time were all connected together with wires. Every computer connected with a network’s wire has the ability to “hear” all communications on the wire. In the computer world, messages are packaged and addressed for individual computers but the address does not deter hackers from intercepting and reading the messages. In 1994’s world, an employee with little technology background could easily download software that would allow them to see what their co-workers were surfing on the web. Scary!
Networks including the internet are linked together through special computers called routers. Think of routers like the post office. A router’s responsibility is to listen to the networks it is attached to and send (or “route”) messages to the appropriate address or network location.
A message might be passed through several routers, or “post offices”, before it arrives at its final destination. Every computer in each of the “post offices” the message passes through has the ability to listen to the message.
Netscape recognized the importance of having private conversations on the Internet. They knew electronic commerce (or “ecommerce”) wasn’t possible if credit card numbers were not secure and would be exposed to eavesdropping technology nerds with potentially fraudulent intentions. Nobody would buy anything over the internet if it entailed doing the equivalent of shouting their credit card number in a crowded room of strangers.
Super Secret Decoder Rings
I love the classic movie “A Christmas Story”. Remember when 10 year old Ralph finally receives his “secret decoder pin” in the mail? The chocolate milk company decoder pin was a small round ring with numbers and letters printed on one side. Part of the ring could be rotated so that a series of numbers corresponded to different letters of the alphabet. The ring’s purpose was to give Ralph the ability to decode secret messages announced over the radio after one of his favorite shows. People listening to the show who did not have a decoder pin had no way of knowing what the series of numbers meant. To them, the message had no meaning at all, and until they got their own decoder pin, they would never know the meaning of those secret messages.
Netscape needed to invent the internet version of a “secret decoder ring”. Even more complicated, the new “ring” encryption needed to be at the individual level. Messages sent through the internet need to be encrypted so that only the intended final recipient of the message would be able to read it.
Netscape succeeded. They called their new personalized “secret decoder ring” … yep you guessed it … Secure Sockets Layer or SSL for short.
How does SSL work? Image everyone has two rings. The rings are a pair. One ring is a decoder ring, and the other is an encoder ring. Everything the encoder ring encrypts, the decoder ring knows how to unscramble so it can be read.
However, the decoder ring must be kept private. Nobody should have access to this private decoder ring. If it’s given to anyone but the owner, security is compromised.
Public encoder rings cannot decode what they have encoded, So, the encoder ring can be given to anybody. The person who has the private decoder ring is the only one who can understand the messages sent.
In this analogy we have been calling these things that encode and decode messages “rings”. In the Internet world “rings” are actually called “keys”. Keys also come in pairs. One key, the decoder, is a “private key”, and the encoder key is a “public key”.
Computer hardware needs computer software to tell it what to do. One way computers communicate on the internet is by using software called web browsers. Internet Explorer, Apple’s Safari, and Firefox are all samples of web browsers. However, a web browser on one computer doesn’t directly communicate with a web browser on another computer. A web server is the in the middle.
Web servers and browsers know how to use keys to encrypt and decrypt messages. When they begin a private conversation, they do what is called an SSL handshake. During this figurative handshake each application gives the other its public key, or encoder pin. Now the web browser knows how to encode messages so that only the web server can understand and vice-versa. Using the previous room example, a person is now able to speak freely in a crowded room, but only the person they are talking to understands what they are saying. The communication is sent into the public area where everyone can hear it, but the message sounds completely foreign to everyone except the person who can decode it.
Wow those Netscape engineers were smart!
But don’t pat those Netscape guys on the back just yet. There’s a piece of the puzzle missing, which Netscape soon realized. Can you guess what it is? I’ll give you a hint: at this point we have Secure Sockets Layer or SSL, but we don’t have SSL Certificates quite yet.
It's all About Trust
So what happens when the person who has your decoder ring can’t be trusted? That’s right, fraud can still occur.
Netscape soon recognized that many of the people participating in internet transactions could not be trusted, and that some sort of trust broker had to be built into the process. In other words, the people participating in the transaction had to either trust one another or rely on a separate 3rd party that both individuals trusted.
Let’s return to our room analogy for a moment. Imagine there is one person in the room we are talking in that we know is a trusted person. We have seen him, we have met him, and many people agree this person can be trusted. Now imagine this person has a sticker he can place on encoder rings. This person is willing to place his sticker on public encoder rings only after he knows who owns the encoder ring.
In this scenario, if people exchange public encoder rings with a mutually trusted 3rd party stamp, a level of trust is established. Both individuals recognize that a trusted third party has vouched for the other person.
Does that mean that the company or person you are dealing with can be entirely trusted? Nope. It just means that a trusted 3rd party has verified the identity of the person you are dealing with. If you needed to, you should be able to get that identity from the 3rd party. In other words, these stamps allow a face to put with a transaction. It makes the transaction less anonymous.
In the Internet world, there are multiple trusted 3rd party “stampers”. They’re called “Certificate Authorities” or “CA" for short. You might not know who they are, but the company who created your web browser - Microsoft, Google, AOL, Apple, etc -has identified these trusted CAs in your web browser. Instead of placing a physical sticker on an encoder ring, these companies wrap their key around your public key in a process called "digitally signing" the key or “digital signature”. The result is called a “SSL certificate”, “SSL cert’ for short. Some people even call them “digital certificates”.
Your web browser knows if a web site’s public key has been signed by one of these certificate authorities. If not, the web browser warns the users that the site being viewed has not been verified by a trusted source.
There are multiple companies that can certify that a key is trusted. Examples include VeriSign, Thawte, and GeoTrust. See http://sslcertificatereviews.net for a list of companies and help finding the right one for you.
What’s the difference between the signatures of the different CA companies? One word, trust. When you purchase a signed key, you are purchasing something called a certificate. In reality, the certificate is something many companies could generate. However, a CA company has built up a brand name. They’ve earned the trust of internet world over the course of time. Accordingly, a web browser won’t flash that dreaded warning when your site has a SSL certificate from one of the trusted CA’s.
What percent of browsers that recognize a CA’s certificate is called “browser recognition”. Most CA’s have browser recognition of 99% or greater. However, if you buy a no-name certificate, you may not get that needed trusted key on all browsers that visit your site. You may not be covered and subsequently trusted by all your site visitors.
There’s also different types of digital certificates. Read the blog what is an SSL Certificate to find out more, and read what SSL Certificate is best for your website to help figure out what digital cert to buy.
Hopefully this history lesson was helpful, and not as painful as sitting through a history class back in high school. Good luck!
How were SSL Certificates invented? What did Netscape have to do with it? SSL cert background and information. Learn more now ...