How does SSL work?

How SSL Works: The Short Version

  1. When a browser visits a website, provided the site has an SSL/ TLS certificate, the two begin what is known as the SSL handshake.
  2. The first step of the SSL handshake involves the browser checking the validity of the SSL certificate, making sure it is authenticated by a legitimate party and therefore trustworthy.
  3. Every SSL certificate has two keys, an associated public key and a private key. Separately, their job is to handle encryption and decryption to communicate securely during the SSL handshake.
  4. After the browser (the client) confirms the SSL certificate is valid, the client and website (the server) create what’s known as a session key, this is a third key. The third key (the symmetric key) is used for the remained of the secure connection.
  5. The handshake takes places over a few hundred milliseconds. Once a secure connection is established, the client and server are communicating safely.

SSL security is similar to those blue USPS mailboxes housed in front of office buildings or outside the post office. Anyone can open the door and put mail in there, however, the door is one-way. Once mail is inserted into the mailbox, the average person can not access it. Instead, a second door secured by a key held only by a postal worker is used to get the mail back out.

This is a rough analogy of the asymmetric-key system adopted by SSL. The public key is, as the name implies, freely available. It lets anyone contact the recipient securely. No one else can see what is being sent, even the sender can’t view what’s been sent after the fact. Only the recipient with the private key can get read the information.

No matter what type of website you run, you should approach the security of your domain the same way you would approach the physical security of your home or business. The internet and technology, in general, is a fast-paced world. It’s not always easy to stay abreast of the latest advancements, particularly if you are busy running your own business. This guide serves to demystify the technology involved in SSL and equip you with the information you need to best protect yourself and your site visitors.


To understand the impact of switching from HTTP to HTTPS, we need to discuss exactly what they are.

HTTP stands for Hyper Text Transfer Protocol. At its most simplified, HTTP allows different computer systems to communicate with each other. This protocol is commonly used to transfer data from a web server to a browser so that users can view web pages. This was the original protocol used for the majority of early websites. While it's an efficient system for communication, it lacks security. With a bit of work, communications between a browser and a server can be intercepted.

HTTPS is a modified version of the HTTP protocol with a layer of additional encryption. The -S identifies the site as secure because it has an SSL certificate that certifies the site’s ownership and encryption technology.

What does HTTPS mean

HTTPS stands for Hyper Text Transfer Protocol Secure. The HTTPS protocol ensures a secure, encrypted 1:1 connection between browser and server.

While it might seem like just an additional letter, the added 'S' indicates the use of a powerful internet security measure, the SSL certificate. Sites with SSL certificates use encryption to keep any connection to their site and any sensitive information (such as customer credit card details or account login information) secure.

The HTTPS prefix is familiar to most people browsing the internet. Users can look for and quickly identify whether a site uses HTTPS protocol by glancing at the URL in their web browser’s address bar. They reason that sites using the HTTPS protocol are safer to browse and interact with.

This extra security measure is not to be underestimated, web-savvy online shoppers won’t buy from a site that hasn’t got the trustworthy SSL certificate. It's crucial to have, especially for websites that take sensitive data from its users, such as credit card information and passwords.

Advantages of Switching

The most pertinent reason to add SSL encryption to a website is user security. This increases the level of customer confidence and trust in a site. Internet users have come to expect the https// prefix in their browser in order to be comfortable submitting any personal information such as their name, address and credit card details. The only way to get the prefix is with SSL:

Google’s Gary Illyes interviewed in in 2015 affirmed that when two web pages are otherwise equal, Google prefers HTTPS sites. In a sense pushing the more secure domain to the head of the line

Think over these reasons why switching your site to the secure protocol is a smart move:

  • Customer information, like credit card numbers, is encrypted and cannot be intercepted

  • Visitors can quickly ascertain whether you are the registered business and owner of the domain

  • Customers are more likely to trust and complete purchases from sites that use HTTPS

  • You have the ability to use AMP - the technology behind mobile web browsers.

How to Establish a Secure SSL Connection?

The job of an SSL certificate is to establish a secure connection. To do so, the SSL certificate encrypts the information users supply to the site using a random 256-bit key, which basically translates the data into noise. In the event someone gets their hands on the data sent between the sender and the recipient, they wouldn't make any sense of it because it uses a one-time key.

The mechanism functions by binding a domain name to IP address with the help of a trusted third party. It then uses this binding to create a secure, encrypted path between your browser and a web server. For example, if you make an order through Namecheap (who use SSL), only Namecheap will have the key to encrypt and understand the data sent.

The process itself gets quite technical, and the finer details are only understandable for experienced programmers, but the basic premise of SSL isn't complicated to understand. Basically, SSL certificates unbreakably encrypt the data that goes from a user’s computer to the target website and back. It's simply a way for your browser and a server to know that each party is who it says it is. The server’s digital SSL certificate confirms its identity, after which the encrypted data exchange can begin.

The Fundamentals of Key Cryptography

SSL works based on asymmetric cryptography. Each SSL session consists of two keys:

  • The public key is used to encrypt (scramble) the information and it’s available for anyone.

  • The private key is used to decrypt (unscramble) the information and restore it to its original format so that it can be read. The private key belongs exclusively to its owner (the owner of the SSL).

Asymmetric or public key cryptography underlines how SSL cryptography works. This basic works of this are best illustrated with an imaginary box with a lock. The box holds precious things inside and a key is used to lock and protect them. A normal box takes one key to open it. The asymmetric box has two separate keys required to use the box.

SSL isn’t only a priority for e-commerce site owners. These days, internet users are savvy enough to look for the lock when visiting a website. HTTPs at the beginning of a website addresses indicates that a site is secure and safe to use. Applying SSL is a simple way to win user trust and quell any privacy concerns when data is offered online.

The first can only turn the lock clockwise (a-c), the second lock can only turn anticlockwise (from c-a). The first lock is known as the private key, the second is the public key. One person, Kevin, keeps the private key and makes hundred of copies of the second, public key. Everyone else has the public key; Kevin can hand them out to friends, or if someone asks for their business card, leave a spare at the office.

Why go to the fuss of an extra key? Well, these keys can do something interesting things. Perhaps you want to send Kevin a personal document or some confidential files for example. You can put them in the box and use a copy of his public key to lock it. Since Kevin’s public key will only turn clockwise, you turn it to position A to lock the box. The only key to turn from A to B, to unlock the box is Kevin’s private key, the one he kept for himself.

That sums up public key cryptography, anyone with a copy of Kevin’s public key (which could be everyone since he’s been giving them away to pretty much anyone, remember) can put documents into his box, lock it and know that only Kevin can unlock it and access the private information.

In the computer world, this whole process takes place online. There is no need for special boxes and the keys are just very long numbers. You can keep your number (private key) in a safe place, and your public-key which is also a long number can go anywhere you like, your website or email signature for example

The SSL Handshake

SSL uses a key pair to encrypt data − A public key that’s known to everyone and a private key known only to the recipient of the message. The mechanism that establishes the trust between each party does so with the help of a cryptographic key. This key enables a digital handshake between browser and server (the SSL handshake). Encryption-decryption takes place as a multi-step process that includes the following steps:

  1. A browser attempts to connect to a server (the target website) that is secured with an SSL certificate. The website first asks the web server to identify itself.

  2. The website responds by identifying itself with a copy of the SSL certificate, sending it’s public key back to your browser.

  3. The client (your browser) then decides if it trusts the SSL certificate and if it’s safe to open the page. It asks for the SSL information to verify that the server is who it says it is. Once it receives this information, the browser contacts reputable sources to ensure the information is correct.

  4. If the client decides to trust the certificate, it verifies the information you will be presented with is from the website you expect to be going to. It then sends its public key to the server.

  5. The server then creates the encrypted message using the client’s public key and the server’s private key, and sends the message back to the browser.

  6. Once the client’s browser decrypts the message, the user/browser and the website/server have established a secure connection.

During step 4, the browser connects to and retrieves a secure site's SSL Certificate. To make sure it’s safe to open the page it will check the follow is true:

  • The certificate is still valid (all SSL certificates have an expiration date)

  • The certificate has been issued by a Certification Authority the browser trusts

  • The certificate is being used by the website for which it has been issued.

If it doesn’t pass on any of these three checks, the browser will automatically display a warning to the website browser. The warning will make sure the end user knows that the site is not secured by SSL. These warning messages are embarrassing for website owners and, in the case of e-commerce websites, such messages result in immediate suspicion from online consumers. When the online community lack confidence in a website or organization, they risk losing business from the majority of consumers.

The complexities and workings of the SSL protocol remain invisible to website browsers. Website visitors look for indicators in their browser to let them know they are protected by an SSL encrypted session. When a trusted SSL digital signature is used during a SSL connection, users will see indicators such as a padlock icon in the left-hand corner of their address bar. Clicking on the lock icon displays the SSL Certificate and all details about it. When an extra secure certificate known as Extended Validation (EV) is installed, the address bar will turn green.

Types of SSL Certificate

Digital signature

Let's revert back to the box analogy. Suppose Kevin put a document into the box and uses his private key to lock it (turning the key to position C). Why would he do this when he knows anyone with his public key can unlock it? There is a point to his actions. If you receive a box that says it's from Kevin, and you don't believe it's from him, , just pick out Kevin’s public-key from your drawer and try it. You try turning left and miraculously, the box opens! This can only mean one thing, the box was locked using Kevins private key, the only one in existence. We can safely assume that Kevin and no one else put the information into the box and sent it on. This concept is known as the 'digital signature.'

Just like handwritten signatures, digital signatures are unique to the signer. Providers of digital signatures, i.e., DocuSign follow a protocol called public key infrastructure (PKI). PKI is a set of roles and procedures defined to facilitate the creation and distribution of public-key creation. So if a server claims to have a certificate for that is signed by DocuSign (or some other CA), your browser doesn’t have to take its word for it.

If it is legit, DocuSign will have used their (ultra-secret) private key to generate the server’s SSL certificate digital signature, and so your browser use can use their (ultra-public) public key to check that this signature is valid. DocuSign will have taken steps to ensure the organization they are signing for really does own, and so given that your client trusts DocuSign, it can be sure that it really is talking to Apple Inc.


A self-signed signature means that the digital signature is generated using the certificate’s own unique private key. All root ‘CA’ certificates are self-signed, but theirs aren’t intrinsically special. With a certain amount of technical skills, you can generate your own self-signed certificate.

The problem with a self-signed certificate is that your certificate will not be preloaded as a recognized CA into any browser since none of them will trust your seemingly random self-made certificate. It’s like saying “I’m the Bank of America, trust me and the certificate of identity I signed myself”. All respectable browsers will red flag this and warn internet browsers with an error message signally your suspicious credentials.

Client Vs. Server Certificates

A client signature is best understood as a variant of a digital signature. These are widely used by the client site to make sure systems are authenticated, so that trust requests are forwarded to a remote server. The certificate offers a strong guarantee of requesters identify.

The server certificate confirms the identity of a server presented during the SSL handshake. These are typically issued by a certificate authority well known to the client.

How to Get an SSL Certificate

We've discussed the benefits of HTTPs, but how do you go about actually switching from HTTP to HTTPS. One of the many perks of SSL is how simple it is to set up. Once you've successfully added it to your website, all you have to do is route people to use HTTPS instead of HTTP.

If you tried to open your website by putting https:// in front of your URLs right now, you would be met with an error. This will happen because you haven’t installed an SSL certificate on your site. We can fix this. We’ll walk you through the installation and setup process. In order to set up HTTPS on your website, you will need to complete these simple steps:

  1. Host a website with a dedicated IP address.

  2. Buy an SSL certificate

  3. Activate the SSL certificate

  4. Install the SSL certificate

  5. Finally, update your website to use HTTPs.

The entire process isn't complicated, it just involves a number of steps which can be a bit time-consuming. If you are familiar with the workings of the backend of websites, then the entire switching process will be more straightforward in practice.

What’s the process for switching to HTTPS?

Follow these steps to switch to HTTPS without any glitches:

  1. Purchase an SSL certificate and a dedicated IP address from a certificate authority or your domain host.

  2. Install and configure the SSL certificate.

  3. Perform a backup of your website to be on the safe side, it’s also helpful in the case you need to revert back any changes.

  4. Reconfigure the internal links within your website, from HTTP to the secure HTTPS prefix.

  5. If you have any code libraries, such as JavaScript and any third-party plugins, update them.

  6. If you control any external links such as directory listings, redirect them to HTTPS.

  7. Once you have SSL on your website, you can redirect visitors to the HTTPS versions of your site automatically. Linux and cPanel acounts use .htaccess files to handle redirection, whereas Windows and Plesk based account use web.config files to redirect HTTP traffic to HTTPS.

  8. If you are using a content delivery network (CDN), login to your CDN dashboard and add the certificate and private key to your zone.

  9. Implement 301 redirects on all pages.

  10. Update any links you use in marketing automation tools, such as email links with the correct protocol.

  11. Update any landing pages, URL paths including subdomains and protocols, and paid search links.

Concerning purely setting up the certificate, the first two points are straightforward, and it’s more than likely your hosting company can assist you at this stage. Also, consider that the list above is exhaustive. If you run a small website, many of the points above won’t apply to you. On the other hand, for a larger website, this is a significant event and should be managed by an experienced webmaster.

The case for switching to HTTPS

The strongest case for buying an SSL certificate is that you are making your website more secure. The protocol is constantly evolving as hackers attempt new forms of attack. Advancements in detecting and countermeasures ensure they are discovered and stopped in their tracks.

Any site owner using a content management system such as WordPress, or any other login where you host any confidential or sensitive data should consider setting up a secure HTTPS login as the bare minimum precaution regards site security.

Bear in mind that SSL isn't completely impenetrable. Unlike a web application firewall, it’s not going to prevent your website from getting hacked or stop phishing emails getting sent, either. HTTPS is the very minimum you can offer your visitors and aside from the added security, HTTPS also improves trust in whatever it is your website is all about.

You may also like

Need help? We're always here for you.

× Close