SSL stands for secure sockets layer, a technology used on the Internet to transmit online communications in an encrypted form. A digitally secure communications channel is established between the server (Web site) and the client (your computer and Web browser), after which all data passed between the two is encrypted. The encryption and decryption process is provided by the use of digital signatures, and determining whether a Web site is what it says it is can be ascertained by using digital certificates that are signed by a Certificate Authority acting as a trusted third party.
When a site has purchased an SSL Digital Certificate from a Certificate Authority, it can utilize the https://... protocol instead of the http:// protocol to provide encryption of data and verification of identity, which helps to answer the questions:
"Can anyone on the network between me and the Web site grab the information I am submitting and make any sense out of it?"
"Am I really talking directly to my bank's site or is there someone hijacking my session in between?"
An SSL Digital Certificate is a digital representation of information that a Web site purchases from a trusted third party Certificate Authority, which verifies and communicates the identity of the site, validity period of the site's certificate, the site's public key (for encryption and decryption purposes), and the Certificate Authorities identity.
An SSL Digital Certificate allows someone browsing to a site to know that they are directly talking with that site and that all information being passed between that site and their computer is encrypted and safe from anyone else seeing it.
NOTE: Although a valid SSL Digital Certificate verifies company information and data integrity, it does not mean that a company is "good" or that it will deliver goods and/or services as expected. As always, this is an area that the consumer must research and assume responsibility for.
When a Web site purchases and installs an SSL Digital Certificate, it then has the capability to serve pages over SSL. From a users standpoint, this simply means that they have followed a link to a site name using the form https://www.sitename.com rather than http://www.sitename.com (notice the "s" in the first "https://...") There is not a great deal of extra work for the user, but what happens in the background is significantly more complex and helps to ensure the confidentiality of information passed between the user and the site. The user is often notified of the use of SSL on a site by the tell-tale padlock that shows up in their browser tool bar (this varies from browser to browser). This padlock can be opened (usually by a double-click) to see details about the certificate that the site is using to communicate with the user.
Let's walk through this and explain exactly what happens when you visit an SSL secured site and enter your credentials:
Is the server that I am talking to actually www.mybank.com?
Has the certificate for www.mybank.com expired?
Does my browser trust the Certificate Authority that issued the certificate to the www.mybank.com site?
You are at risk anytime you enter any secure information or credentials online without the use of SSL.
When using SSL, you are at risk during the initial check when your browser is verifying the sites information, which is the critical step. If your browser receives any information that does not match what it is expecting, you get a pop-up that explains that there was a problem and attempts to tell you what the problem was. These problems fall into one of three categories:
These errors can have a lot of meanings and implications. It is imperative that you as the user are very conscious of your actions online and do not disregard warning messages. The bottom line is that if you get any error messages when accessing an SSL site or page, it is best to cancel that session and not enter any confidential information. Call the company and verify that their pages are up and running, and talk to them about the error before utilizing their online services. Also, any time you are prompted for credentials, you should always ensure that the page is using SSL by looking for the tell-tale padlock. Sometimes companies write SSL Web pages that are embedded within other non-SSL pages and you do not see the padlock. In these instances, it is best to call the company and verify that the pages are using SSL prior to entering anything confidential. It is always better to be safe than sorry.
There are a couple of ways to get a certificate that allows for an SSL connection to be made to the Web servers. One way is to pay for a certificate from a nationally recognized vendor who has paid to be included by default in many of today's most popular Web browsers. When this is done, most of the time you never see a message about "trusting" that authority. This vendor issues a certificate from what is called a Certificate Authority, and if anyone ever wants to check the validity of a certificate, it is tracked back to a Certificate Authority for validation.
To save costs, UW runs our own Certificate Authority here on campus for all development servers that require SSL on them. Under normal circumstances, we push the "trusting" of our certificate authority out to all computers that belong to the UWYO domain. Therefore, these computers will not see any messages. When a person is prompted with this information when on campus, the person probably tried to come in from a system that was not a member of the UWYO domain (one from another domain that doesn't trust UWYO or a personal computer). In this case, since the Web browser they are using does not automatically recognize the UW certificate authority (named UWYOCERTAUTH.UWYO.EDU), the browser stops and says "Hey, I don't know this certificate issuer, do you want to trust them?" In most cases, the user wants to be wary when they see this message; however, in this case, since it is a legitimate server, they are okay to go ahead and trust it. The user can also choose to always trust that authority; this will discontinue the prompts about not recognizing UWYOCERTAUTH, which is used on a number of development servers around campus.
Reviewed: 0706 By: CD, RD
Additional help with the installation and configuration of
UW-supported software is available:
Contact the IT Help Desk at 766-HELP (4357), option 1
Contact the IT Help Desk at 766-HELP (4357), option 1
Come to the student computer lab in the lobby of the
Information Technology Center.
Chat with a UW IT Representative
Chat with a UW IT Representative:
IT Help Hours:
Monday – Friday, 8:00am – 5:00pm
Closed Sat and Sun