Imagine that you are standing in a rather long queue to buy a ticket for your train. It has been 10 minutes and the head count ahead of you shows no signs of reducing fast. A nice gentleman walks upto you and says that he is an agent sent out by the ticket counter to speed up the ticketing process for the people who are way back in the queue. If you could give him the fare, he would give you a ticket. One of the following two things can happen. You realise that this is a con-man and try to alert the authorities, but before anyone can do anything, the man has slipped away and melted into the crowd. Another possibility is that you give him the money and he suddenly makes a dash for it. What happens next is the same. You alerting the authorities, but the man melting into the crowd. Either way, before anything can be done by the authorities, the man is nowhere to be seen.
A crowded area feels safe for a lot of things. For one, you can walk without anyone accompanying you and if someone attempts a bold crime, there are others to protect you. But a crowded area can also be a bane, useful for subtle conmen to hide themselves. The types who look for soft targets, do something stealthy before anyone realises what just happened and then melt away.
The Internet is no stranger to such subtle conmen. And the Internet is a much more crowded place. Not only is it the playing field for a single locality, but for the entire world. And let’s face it, there is no authority setup or hierarchy in the Internet and in fact it is upto the local authorities to protect the surfers from international cons, which is a tall order.
Enter Secure Socket Layer
The engineers of Internet have thus come up with various ways to protect its users and one very popular method is the SSL or the Secure Socket Layer. SSL acts by verifying the service providers’ identity and letting the users know that the providers are exactly who they claim to be. Once the identity is verified, all the communication is encrypted such that no one trying to eavesdrop can understand what is being said. SSL is used in almost every Internet service that we see, such as Email and chat. However, its most popular and widespread use is to protect Internet’s most common user, the web surfer. You have heard this security method’s name several times — HTTPS.
Components of SSL
There are several participants and components in the SSL script. Here, I will introduce you to them in the form of a cast and then we shall see the SSL process as a short story.
The user: Sid
Meet our Internet savvy user, Sid, who loves to purchase things online. This is whom we are trying to protect, so that the Internet con-men do not steal his money. Sid uses a browser (like Google Chrome, Firefox or Safari), but in our story, we will use Sid and his browser interchangeably, since impersonation sticks in mind better 🙂
This is the fictious e-Shopping website where Sid buys his favourite products. They facilitate payment using the payment gateway MyRupeePurse.in.
MyRupeePurse is our fictious payment gateway service which Sid often uses to pay for the goods that he purchases online. MyRupeePurse.in has enabled SSL using GoDaddy so that,
- Purchasers like Sid know that they are using the legitimate MyRupeePurse.in and not an imposter. SSL enables a service to hold a certificate of authenticity.
- All communication between Sid and MyRupeePurse.in is secure, using a method called private-public key pair, which we shall see shortly.
Very few of us need an introduction to Godaddy. They are the ones who sell domain names (e.g. MyRupeePurse.in bought their domain name from GoDaddy). But importantly, they also sell digital signatures. We will see soon, what digital signatures are. It is also noteworthy at this point to say that Sid completely trusts GoDaddy. There is a technical word to describe a trustworthy party like GoDaddy. They are called Certificate Authorities.
An SSL certificate is like a passport or an Aadhar card (in India, that is the equivalent of Social Security). It serves as a valid, certified ID for a service provider, which in our case is MyRupeePurse.in. They applied for it from GoDaddy. Just like passports, SSL certificates can be faked, but will be caught out as we shall see later.
When a certificate authority authorises that a certain SSL certificate legitimately belongs to a service provider, it signs its word of authority over that certificate and enables a user to trust that provider. E.g. Because GoDaddy signed over the MyRupeePurse.in, Sid is able to trust them with his payments. There are trustworthy ways to verify that a certificate was indeed signed by a certificate authority like GoDaddy.
Private key / public key pair
Let us think of a special box with a special type of magic lock. This magic lock has two keys and exhibits a peculiar behaviour (that’s why it’s a magic lock!). Let us call them Key 1 and Key 2. If the lock has been locked with Key 1, then it can be re-opened only with Key 2 and vice-versa. Wizard Tala Guru (the ‘master of locks’ in Sanskrit language!) is in charge of the box, the lock and the two keys. This can potentially create a very powerful security possibility.
The wizard wants a reliable way for people to be able to send him messages in the box, such that no one else can snoop into them. If someone requests that he or she wants to send the wizard a protected message, the wizard makes a copy of Key 2 for use by that person. Then the box, the lock and the copy of Key 2 are sent to that person. The wizard protects Key 1 with all his life and will not hand it over to anyone under any circumstances.
The messenger writes out the secret message, puts it into the box and locks it firmly using Key 2. He / she can rest assured that only Key 1 and hence only the wizard can open the box. Likewise, the wizard, having read the message, composes his reply, puts it into the box and locks it with Key 1 and can safely assume that only those with a copy of Key 2 can open the box.
Key 2 can be distributed in copies to as many people who want to maintain a secure channel of communication with the wizard as desired. Key 2 is the public key. However Key 1 MUST be guarded by the wizard and its compromise will break the entire security. Key 1 is the private key.
The SSL screenplay
Now that we have seen all the components and roles of the SSL screencast, let us go through two stories. The first story is the one where MyRupeePurse.in applies for a digital signature from GoDaddy.
Digital Signature Application
MyRupeePurse.in to GoDaddy: Listen, I want to make my website secure. As requested by you, I have created an SSL certificate for myself, that I would like to present to people who want to pay through our service. Can you help me get a digital certificate?
GoDaddy to MyRupeePurse.in: Sure, I see that no one else has applied for a certificate with this domain name, so you are eligible. Please just hand me your SSL certificate, I’ll sign it for you.
GoDaddy signs at the designated place, but then does something cool. It sticks a small box on top of the signature and locks it with a magic lock desiged by our wizard, using a private key that only they possess. Then they put their seal on top of the box.
GoDaddy to MyRupeePurse.in: Here you go. Remember, you can never open this box, but don’t worry, if anyone asks to see this signature, we will help them open this box. If you remove this box and display the signature in plain sight, we will consider this certificate as tampered and illegit. Keep that in mind. All the best.
Now MyRupeePurse.in can rest assured that only they are in possession of GoDaddy’s special signature for that particular domain name and no one else can claim it. It is time for them to rock the show.
Now we trace through Sid’s purchase story to see how this entire thing works.
Sid’s purchase and payment
Sid to GoodProducts.in: Okay, I love these shoes and would like to checkout and pay? Please guide me.
GoodProducts.in to Sid: Sure, we take all our payments via MyRupeePurse.in. Let us guide you there. Once you complete your payment, we will know and shall let you have these shoes. Thanks for your shopping, sir.
Sid to MyRupeePurse.in: Listen, GoodProducts.in sent me in here to pay for my order with them. But first, I would like to verify that you are indeed MyRupeePurse.in and not an imposter.
MyRupeePurse.in to Sid: Sure, I have my SSL certificate. You can have a look.
At this point, if the certificate does not have the box with the digital signature at all or if the signature is visible in plain sight, Sid can shout out, “Hey, this is fudged! Imposter! Thief!!” However let us assume that it is a legit start.
Sid to MyRupeePurse.in: Hmm, okay, I see a seal of GoDaddy on this box. Let me go to GoDaddy to find out if this is real.
Sid to GoDaddy: Listen, I have got this person claiming to be MyRupeePurse.in and I have been given an SSL certificate affixed with a box of digital signature. The box has your seal. Do you know any MyRupeePurse.in?
If GoDaddy says, “I have no idea who that is!”, then Sid can yell “Thief!” again.
However in a happy story,
GoDaddy to Sid: Yup, we do know MyRupeePurse.in and we did give them the authority to set up an SSL-enabled service over that domain name. You say you see the box with our seal? Great! Let us help you open it.
GoDaddy makes a copy of the public key corresponding to the private key with which it locked the signature box.
GoDaddy to Sid: Okay, here is a key that should help you open this box. If it indeed is our signature, this key and only a copy of this key can open the box. If this key is unable to open the box, then this signature and the box with our seal has been faked.
If Sid is unable to open the box, he is within his rights to yell again. But fortunately, the certificate is legit.
Sid to GoDaddy: I can open it. Thanks GoDaddy, I will go ahead with the secure service now.
Sid to MyRupeePurse.in: Alright, MyRupeePurse.in, I have verified that you are indeed the correct party, let us go ahead with this payment.
MyRupeePurse.in to Sid: Cool Sid. Okay, now let us proceed. But I want to make sure that anything we speak now cannot be snooped by anyone. I will send you a set of forms with blanks to be filled in, enclosed in a box that has a lock (private and public key again, this time with a private key made specially for MyRupeePurse.in). Here are the keys (public) to the lock. Once you fill up the box, please use the lock to seal the box, before sending them back to me. The lock is special. No one else can open the box other than I.
Sid is required to fill up sensitive information in the form, such as a bank account / credit card to pay with and the CVV code or a One Time Password, due to which the channel should be highly secure. The security is ensured by the private-public key pair made available by MyRupeePurse.in. After the payment is done, MyRupeePurse.in leads Sid back to GoodProducts.in with a payment acknowledgement.
GoodProducts.in to Sid: Your payment via MyRupeePurse.in was successful. Enjoy your shoes. Thanks again for shopping. Here is your receipt.
In the above story, you saw how MyRupeePurse.in and GoDaddy have setup a very safe fraud-free environment for Sid to shop and enjoy to his heart’s content without worrying about losing his money. We still have many not-so-Internet-savvy people who are apprehensive about shopping over the Internet, but the above story hopefully clarifies how safe it is.
Does your company provide SSL based services to your clients? Do you specifically point your browser to the HTTPS enabled version of websites? Do you consciously verify that your bank websites and password protected resources such as Email and chat take you to HTTPS and SSL based URLs? How safe do you feel while accessing your information over the Internet? Please let me know about your experience in the comments.