Understanding How SSL Encryption Works

Most people know that SSL (Secure Socket Layer) or TLS (Transport Layer Security) is encryption that scrambles the data a person types on a website, to keep it from getting into the wrong hands. When you add your credit card number during an online shop for example, the details are protected as they travel from your browser to the website. No-one but you and the website admin can read the information. That’s what it means when you see the padlock HTTPS in your browser. Let’s take a look at how this encryption security actually works:

The SSL Handshake

For the techies out there, the data delivery process is called TCP (Transmission Control Protocol). Think of TCP as the pipe that delivers clean (encrypted) water. When you open your browser (called ‘the client’) and access an encrypted website (called the server), it kicks off the SSL Handshake. This process happens in a few steps:
  1. Your browser client starts the handshake by sending across SSL compatibility information. It also checks the validity of the website’s SSL Certificate i.e. ensuring the SSL/TLS is legitimately authenticated so it can be trusted. Tech savvy people can generate something that looks like an SSL, but it’s like naming a website The Bank of America, that doesn’t make it true. It’s important to know that every SSL/TLS works by using two keys: a public key that encrypts data and a private key that unlocks it. Like a government mailbox, you put your letter in (public key), and only the mail workers have access to take the letter out (private key). It’s a one way interaction, which is why it’s called an asymmetric-key system.
  2. After your browser confirms the SSL Certificate is valid, it encrypts the data transfer session with the website server’s public key.
  3. The website server then receives the private key from the browser client for decryption.
  4. Both sides agree on something called a cipher suite, and generate session keys (also called symmetric keys because they operate on both sides) which allow them to encrypt and decrypt the data sent during an SSL session.
This sounds complicated but the SSL Handshake takes milliseconds, which just shows how amazing technology is behind the scenes. Now the data encryption is in place and the info gets securely sent between your browser and the website. It’s like people getting to know each other before they feel safe to talk more deeply, only it happens in the blink of an eye.

Encryption Strength

Industry standard SSL/TLS strength is 256 bits encryption for data moving from your browser to a website server. The bigger the number, the longer it takes to decrypt the data. Put another way, a higher bit strength makes it harder for criminal types to hack in and decrypt private information. If 256 is not supported by either the browser or server, the SSL data session steps down to 128 bits. This is not something to worry about really, because modern setups support 256 bits. Decryption strength also involves ciphers and algorithms, but this article is about giving you the main points to understand, without getting too complex.

Take Away

HTTPS websites allow customers to have a data session, where they can safely share their personal information (such as email address or credit card details) on websites. This process involves the SSL Handshake. It boils down to the browser you’re using getting to know the website server you’re engaging with, so they can agree on the best way to encrypt the travelling data. It’s a robust, structured and fairly complex process behind the scenes, but to users it all happens in the blink of an eye. Almost like magic.
Share on Twitter, Facebook, Google+