Skip to main content

Server certificates take advantage of TLS to work seamlessly between your web site and your visitors' web browsers. This is how the process works:

1. A customer contacts your site, accessing a secured URL (indicated by a URL that begins with "https:" instead of just "http:" or by a message from the browser). When a web-connection uses SSL, it connects to port 443 instead of port 80. This causes the prefix of a web address to start with HTTPS (443) instead of HTTP (80).

2. Your web server responds, automatically sending the customer your site's digital certificate, which authenticates your site.

3. Your customer's web browser generates a unique "session key" to encrypt all communications with the web site.

4. The user's browser encrypts the session key itself with the site's public key so only the site can read the session key.

5. A secure session is now established. It all takes only seconds and requires no action by the user. Depending on the browser, the user may see a key icon becoming whole or a padlock closing, indicating that the session is secure. If your site doesn't have a digital certificate, visitors will see a warning message when they attempt to offer credit card or personal information.

A server certificate is specific to a domain or website

On receipt, the browser automatically checks the certificate for three things:

  • Expiration date: Is the certificate still valid?
  • Address from the web site: Does the address in the certificate match the web server address?
  • Verifying a certificate by calling the certificate issuer (like VeriSign) to confirm that the certificate can (still) be trusted.

This first check is mandatory so without a valid TLS/SSL certificate the encryption doesn't work.

The second check reveals that a server certificate is issued for a specific domain/web site. When a certificate is used on another web-address than it was issued for, each client that should log in receives a message from the browser stating that there is a possible security leak. A client can accept the risks and login through an encrypted connection to the web server.

The browser does the same when the third check is not fulfilled, so the second and third check are not mandatory for the encryption to work (this is displayed on most browsers by means of a lock symbol).

TLS/SSL

Digital certificates encrypt data using Transport Layer Security (TLS), which is based upon the older Secure Sockets Layer (SSL) technology, the industry-standard method for protecting web communications. The TLS security protocol provides data encryption, server authentication, message integrity, and optionally, client authentication for a TCP/IP connection. Because TLS is built into all major browsers and web servers, simply installing a digital certificate turns on their TLS capabilities. TLS comes in two strengths:

  • 40-bit: so called Secure Server IDs
  • 128-bit: so called Global Server IDs

The number of bits refers to the length of the "session key" generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code.

Most browsers support 40-bit TLS sessions, and the latest browsers enable users to encrypt transactions in 128-bit sessions. Global companies that require international transactions over the web can use global server certificates program to offer strong encryption to their customers. VeriSign's Security Center gives you access to a wealth of security resources, products, technologies, and news.

Be the first to reply!