In the very early days of the Internet, all sites were accessed with no security or encryption. In 1994 the Secure Socket Layer (SSL) was introduced as a way to securely access a website publicly. Even then, sites would only use this technology if they were accepting credit cards or other sensitive information. Now, it is common for all sites to use https by default. But what does SSL actually do?
SSL primarily accomplishes two goals.
- Encryption between your device and the web server
- Verification that the site you are visiting is actually the legit one
Encryption is obviously important if you are banking online or having a private conversation with someone. It means that even if your Internet line is “tapped” the data would look like garbage without the private key to decrypt it. As technology has progressed, SSL has changed and improved to support more complex encryption that is even harder to crack. This is why your web server needs to renew and re-key SSL certificates fairly regularly. Visiting a site that uses SSL does not give you complete privacy though.
Accessing a website also relies on the use of a DNS query to map the friendly name of the site to an IP address. This lookup is not encrypted and will rely on a DNS server to lookup your query. Typically, this lookup is done by your ISP, like Comcast, AT&T, etc. These companies may not be able to read the specific content of your visit, but they do know what sites you went to.
Verification is the other main goal of SSL. Encrypting your communication will do no good if you are giving it to a fake site. Through different methods, a hacker could setup their own server to pose as a website to collect your data. Mimicking a website is relatively easy to do. What a hacker can’t mimic though is a valid certificate issued by a trusted provider. SSL issuers that are trusted by default in most browsers will almost always verify the owner of a website before a certificate is issued. Hackers can’t easily impersonate a valid certificate from a trusted issuer. If you are visiting a site without a green padlock there is no verification that the site really is the one you wanted to visit. This is how most phishing scams work. Sites impersonate a reputable site and bait users to giving away their information freely.
Because of the relative ease and obvious benefits of SSL, browsers have started to penalize non-SSL sites as not secure. In addition, search engines may also view an insecure site more poorly and hurt their search ranking. We have been implementing https on all new sites we launch for our customers and strongly encourage older sites to adopt this security feature as well.