3.3 Encrypted network connections
As you learned earlier, web traffic is not encrypted by default. Web pages pass as plaintext across the internet and are vulnerable to interception.
Obviously, this was a problem when companies first began to consider online shopping. At first companies had to ask customers to browse online and then make a telephone call so the company could accept credit card information.
The solution came in 1995 when the web browser pioneer Netscape announced the Secure Socket Layer (SSL) protocol (this has now been replaced by Transport Layer Security (TLS)), which would allow web browsers to exchange secure data. It is supported by all modern browsers and allows confidential information to be exchanged over an insecure link.
TLS/SSL uses a combination of asymmetric and symmetric encryption to exchange data. When a web browser connects to a server and requests a secure communication the two computers first engage in what is known as a handshake and agree how future communications will be conducted, including the type of cryptography that will be used.
After agreeing how to communicate, the server transmits its own public key and a digital certificate of authenticity to the user’s computer which checks that the certificate is genuine and has not expired. If the certificate is genuine, the user’s computer then generates a master secret, encrypts it with the copy of the server’s public key and sends that to the server.
The server decrypts the encrypted master secret with its own private key. Both the server and the computer now have copies of the secret and use that to generate identical copies of a symmetric encryption key. Crucially, the key itself has not been transmitted across the network.
Each computer now informs the other that all other transactions in this session will be conducted using the symmetric key (called the session key), by sending ‘finished’ handshake messages using each other’s session keys. The two computers can now perform the secure transaction itself, including sensitive information such as bank account details, addresses, credit card numbers and receipts using the high-speed symmetric key.
At the end of the secure session, the two computers say goodbye to one another and each deletes their copies of the symmetric session key. If the user starts another secure session a completely new key will be used.
As well as e-commerce sites, TLS/SSL is supported by other websites that supply confidential information including banks and some email clients. Its use means that end users can benefit from the confidentiality and integrity provided by cryptography without having to worry about the technical details of configuring their software or managing keys.
In the next section you’ll see TLS/SSL in action.