Glossary Of SSL Terms And Jargon Buster

Confused by all the SSL terms and jargon used - use our handy SSL jargon buster to help explain what they all mean.

SSL is short for Secure Sockets Layer. The SSL protocol was developed by Netscape and is supported by all popular web browsers such as Internet Explorer, Netscape, AOL and Opera. For SSL to work a SSL certificate issued by a certification authority must be installed on the web server, SSL can then be used to encrypt the data transmitted (secure SSL transactions) between a browser and web server (and vice versa). Browsers indicate a SSL secured session by changing the http to https and displaying a small padlock. Web site visitors can click on the padlock to view the SSL Certificate.

TLS is short for Transport Layer Security. The TLS protocol is designed to one day supersede the SSL protocol, however at present few use it instead of SSL

Browsers can connect to web servers over http and over https. Connecting over https involves you entering https:// before the domain name or URL and, providing the web server has a SSL Certificate, the connection will be secured and encrypted.

128 Bit SSL is also referred to as strong SSL security. The 128 Bit tells users that the size of the encryption key used to encrypt the data being passed between a web browser and web server is 128 Bits in size (mathematically this would be 2 to the power of 128). Because the size of the 128 Bit key is large it is computationally unfeasible to crack and hence is known as strong SSL security.

Most web servers and web browsers support 128 Bit SSL. However some versions outside of the US will only support 40 bit SSL and should be upgraded.

CSR is short for Certificate Signing Request. When applying for a SSL Certificate the first stage is to create a CSR on your web server. This involves telling your web server some details about your site and your organization; it will then output a CSR file. This file will be needed when you apply for your SSL Certificate.

The SSL Key, also known as a Private Key, is the secret key associated with your SSL Certificate and should reside securely on your web server. When you create a CSR your web server will also create a SSL Key. When your SSL Certificate has been issued, you will need to install the SSL Certificate onto your web server - which effectively marries the SSL Certificate to the SSL key. As the SSL key is only ever used by the web server it is a means of proving that the web server can legitimately use the SSL Certificate.

If you do not have, or lose either the SSL Key or the SSL Certificate then you will no longer be able to use SSL on your web server.

The SSL handshake is the term given to the process of the browser and web server setting up a SSL session. The SSL handshake involves the browser receiving the SSL Certificate and then sending "challenge" data to the web server in order to cryptographically prove whether the web server holds the SSL key associated with the SSL Certificate. If the cryptographic challenge is successful then the SSL handshake has completed and the web server will hold a SSL session with the web browser. During a SSL session the data transmitted between the web server and web browser will be encrypted. The SSL handshake takes only a fraction of a second to complete.

A port is the "logical connection place" where a browser will connect to a web server. The SSL port or the https port is the port that you would assign on your web server for SSL traffic. The industry standard port to use is port 443 - most networks and firewalls expect port 443 to be used for SSL. However it is possible to name other SSL ports / https ports to be used if necessary. The standard port used for non-secure http traffic is 80.

SSL Proxy allows non-SSL aware applications to be secured by SSL. The SSL Proxy will add SSL support by being plugged into the connection between the browser (or client) and the web server. Stunnel (www.stunnel.org) is such a SSL proxy.

Ordinarily the SSL handshake and subsequent encryption of data between a browser and the web server is handled by the web server itself. However for some extremely popular sites, the amount of traffic being served over SSL means that the web server either becomes overloaded or it simply cannot handle the required number of SSL connections. For such sites a SSL accelerator can help improve the number of concurrent connections and speed of the SSL handshake. SSL accelerators offer the same support for SSL as web servers.

IIS is short for Internet Information Services and is Microsoft's popular web server software. IIS has full support for SSL, including a CSR generation wizard.

Host headers are used by IIS as a means of serving multiple web sites using the same IP address. As a SSL Certificate requires a dedicated IP address host headers cannot be used with SSL. When the SSL protocol takes place the host header information is also encrypted - as a result the web server does not know which web site to connect to. This is why a dedicated IP address per web site must be used.

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the secure sockets layer (SSL v2/v3) and transport layer security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

It is possible for a web hosting company to share a single SSL Certificate - this allows the same SSL Certificate to be used by many web sites without the need to issue individual SSL Certificates to each hosting customer. The recommended way to share SSL is to use a wildcard SSL Certificate. This allows the unlimited use of different sub domains on the same domain name. The wildcard certificate allows the web hosting company to give each customer a secure sub domain, such as customer1.webhost.com, customer2.webhost.com, etc. The same can be applied for organizations wanting to secure multiple sub domains within the enterprise network.

CPS is short for Certification Practice Statement. The CPS is a document published by the certification authority and outlines the practices and policies employed by the organization in issuing, managing and revoking digital certificates.

CRL is short for Certificate Revocation List. The CRL is a digitally signed data file containing details of each digital certificate that has been revoked. The CRL can be downloaded and installed into a users browser and ensures that the browser will not trust a revoked digital certificate.