SSL Certificate Security Glossary
128 bit SSL
128 bit SSL is also referred to as strong SSL security. The 128 bit tells users
that the size of the encryption key used to encrypt the data being passed between
a web browser and web server is 128 bits in size (mathematically this would be 2
to the power of 128). Because the size of the 128 bit key is large it is computationally
unfeasible to crack and hence is known as strong SSL security.
Most web servers and web browsers support 128 bit SSL. However some versions outside
of the US will only support 40 bit SSL and should be upgraded.
The act of determining that a message has not been changed since leaving its point
of origin. Authentication, secure authentication or secure SSL authentication of
a user, is usually derived from something that the user understands, is or has.
Many SSL Authentication Systems Which Provide SSL Internet Security and Online Payment
System Security Are Now Shifting Toward Public Key Encryption.
An Internet IPsec protocol, A field that immediately follows the IP header in an
IP datagram and provides authentication and integrity checking for the datagram.
Also protection against replay attacks; it secures authentication like secure SSL
digital ID validation.
A portable device used for authenticating a user. Authentication tokens operate
by challenge/response, time-based code sequences, or other techniques. This may
include paper-based lists of one-time passwords.
A record containing information that can be shown to have been recently generated
using the session key known only by the client and server.
SSL Certificate security must be genuine and verifiable. In SSL Internet security
and network security, it is imperative that authenticity is not assumed.
A technology that makes it possible to identify who published a piece of software
and to verify that it has not been tampered with. It also confirms that the digital
certificate used to sign the code was issued by the certificate authority originally.
Giving access or other rights to a user, process or program that has been authorized.
A file that attests to the identity of an organization or web browser user and is
used to verify that data being exchanged over a network is from the intended source.
The certificate is digitally signed either by a Certificate Authority or is self-signed.
There are CA certificates, client CA certificates, client certificates, and server
Certificate Revocation List
A list maintained by the Certificate Authority of all certificates that are revoked,
but not expired. A certificate may be revoked because the user's private key is
assumed to be compromised, the user is no longer certified by this Certificate Authority,
or the Certificate Authorities private key is assumed to be compromised.
The complete assessment of the technical and nontechnical security functions of
a system and other safeguards that are made for the accreditation process, which
establishes the degree to which a particular plan and implementation meet a certain
set of security conditions.
Certification Authority (CA)
A third party organization which is used to confirm the relationship between a party
to the https transaction and that party's public key. Certification authorities
may be widely known and trusted institutions for internet based transactions, though
where https is used on companies internal networks, an internal department within
the company may fulfill this role.
CPS (Certification Practice Statement)
CPS is short for Certification Practice Statement. The CPS is a document published
by the Certification Authority and outlines the practices and policies employed
by the organization in issuing, managing and revoking digital certificates.
CRL (Certificate Revocation List)
CRL is short for Certificate Revocation List. The CRL is a digitally signed data
file containing details of each digital certificate that has been revoked. The CRL
can be downloaded and installed into a user's browser and ensures that the browser
will not trust a revoked digital certificate.
CSR (Certificate Signing Request)
CSR is short for Certificate Signing Request. When applying for a SSL certificate
the first stage is to create a CSR on your web server. This involves telling your
web server some details about your site and your organization; it will then output
a CSR file. This file will be needed when you apply for your SSL certificate. Instructions
on how to create a CSR with all popular web server software are available here.
A digital signature (not to be confused with a digital certificate) is an electronic
rather than a written signature. It can be used with any kind of message, whether
it is encrypted or not, simply so that the receiver can be sure of the sender's
identity and that the message arrived intact. A digital certificate contains the
digital signature of the certificate-issuing authority so that anyone can verify
that the certificate is real. Additional benefits to the use of a digital signature
are that it is easily transportable, cannot be easily repudiated, cannot be imitated
by someone else, and can be automatically time-stamped.
Digital Signature Algorithm (DSA)
An algorithm for producing digital signatures, developed by NIST and the NSA. To
sign a message, Jean uses the DSA Sign Algorithm to encode a digest of the message
using her private key. For all practical purposes, there is no way to decrypt this
information. However, anyone who receives the message and accompanying digital signature
can verify the signature by using the DSA Verify Algorithm to process the following
information: the received signature; a digest of the received message; and Jeans
public key. If the output of this algorithm matches a certain part of the digital
signature, the signature is valid and the message has not changed. In contrast to
RSA and other encryption-based signature algorithms, DSA has no ability to encrypt
or decrypt information.
Digital Signature Standard (DSS)
A National Institute of Standards and Technology (NIST) standard for digital signatures,
used to authenticate both a message and the signer. DSS has a security level comparable
to RSA (Rivest-Shamir-Adleman) cryptography, having 1,024-bit keys.
Quite simply, the act of selling over the internet. This can either be Business
to Business (B2B) or Business to Consumer (B2C).
Encryption is the process of changing data into a form that can be read only by
the intended receiver. To decipher the message, the receiver of the encrypted data
must have the proper decryption key. In traditional encryption schemes, the sender
and the receiver use the same key to encrypt and decrypt data. Public-key encryption
schemes use two keys: a public key, which anyone may use, and a corresponding private
key, which is possessed only by the person who created it. With this method, anyone
may send a message encrypted with the owner's public key, but only the owner has
the private key necessary to decrypt it.
A secured system passing and inspecting traffic via an internal trusted secure server
network and an external secure server network that is untrusted, like the Internet.
Firewalls can be used to discover, prevent, or mitigate certain kinds of secure
server network attack. This provides Internet security and online security.
Host headers SSL
Host headers are used by IIS as a means of serving multiple websites using the same
IP address. As a SSL certificate requires a dedicated IP address host headers cannot
be used with SSL. When the SSL protocol takes place the host header information
is also encrypted - as a result the web server does not know which website to connect
to. This is why a dedicated IP address per website must be used.
Browsers can connect to web servers over http and over https. Connecting over https
involves you entering https:// before the domain name or URL and, providing the
web server has a SSL certificate, the connection will be secured and encrypted.
IIS (Internet Information Services)
IIS is short for Internet Information Services and is Microsoft's popular web server
A protected/private character string which is applied to authenticate an identity,
which gives secure authentication and secure SSL authentication, sometimes with
digital signatures and digital certificates like 128-bit SSL digital certificates.
Passwords are for a user's online security or authorization security. Working together
are certs and secure email with SSL certificates, all terms related to online security.
Similar to "protocol" in human communication which involves a previously agreed
upon set of rules for communicating in diplomatic settings. On the Internet, a protocol
is an agreed upon method for sending and receiving information.
The key that a user keeps secret in asymmetric encryption. It can encrypt or decrypt
data for a single transaction but cannot do both.
The key that a user allows the world to know in asymmetric encryption. It can encrypt
or decrypt data for a single transaction but cannot do both.
A self signed certificate issued from a root level Certificate Authority (CA).
A Web server that utilizes security protocols like SSL to encrypt and decrypt data,
messages, and online payment gateways to accept credit cards, to protect them against
fraud, false identification, or third party tampering. Purchasing from a secure
Web server ensures that a user's credit card information or personal information
can be encrypted with a secret code that is difficult to break. Popular security
protocols include SSL, SHTTP, SSH2, SFTP, PCT, and IPSec.
SSL (Secure Sockets Layer)
SSL is short for Secure Sockets Layer. The SSL protocol was developed by Netscape
and is supported by all popular web browsers such as Internet Explorer, Netscape,
AOL and Opera. For SSL to work a SSL certificate issued by a Certification Authority
must be installed on the web server, SSL can then be used to encrypt the data transmitted
(secure SSL transactions) between a browser and web server (and vice versa). Browsers
indicate a SSL secured session by changing the http to https and displaying a small
padlock. Website visitors can click on the padlock to view the SSL certificate.
The SSL Key, also known as a Private Key, is the secret key associated with your
SSL certificate and should reside securely on your web server. When you create a
CSR your web server will also create a SSL Key. When your SSL certificate has been
issued, you will need to install the SSL certificate onto your web server - which
effectively marries the SSL certificate to the SSL key. As the SSL key is only ever
used by the web server it is a means of proving that the web server can legitimately
use the SSL certificate.
If you do not have, or lose either the SSL Key or the SSL certificate then you will
no longer be able to use SSL on your web server.
The SSL handshake is the term given to the process of the browser and web server
setting up a SSL session. The SSL handshake involves the browser receiving the SSL
certificate and then sending "challenge" data to the web server in order to cryptographically
prove whether the web server holds the SSL key associated with the SSL certificate.
If the cryptographic challenge is successful then the SSL handshake has completed
and the web server will hold a SSL session with the web browser. During a SSL session
the data transmitted between the web server and web browser will be encrypted. The
SSL handshake takes only a fraction of a second to complete.
SSL Port / https Port
A port is the "logical connection place" where a browser will connect to a web server.
The SSL port or the https port is the port that you would assign on your web server
for SSL traffic. The industry standard port to use is port 443 - most networks and
firewalls expect port 443 to be used for SSL. However it is possible to name other
SSL ports / https ports to be used if necessary. The standard port used for non-secure
http traffic is 80.
SSL Proxy allows non-SSL aware applications to be secured by SSL. The SSL Proxy
will add SSL support by being plugged into the connection between the browser (or
client) and the web server.
Ordinarily the SSL handshake and subsequent encryption of data between a browser
and the web server is handled by the web server itself. However for some extremely
popular sites, the amount of traffic being served over SSL means that the web server
either becomes overloaded or it simply cannot handle the required number of SSL
connections. For such sites a SSL Accelerator can help improve the number of concurrent
connections and speed of the SSL handshake. SSL Accelerators offer the same support
for SSL as web servers.
Shared SSL & Wildcard SSL
It is possible for a web hosting company to share a single SSL certificate - this
allows the same SSL certificate to be used by many websites without the need to
issue individual SSL certificates to each hosting customer. The recommended way
to share SSL is to use a Wildcard SSL certificate. This allows the unlimited use
of different sub domains on the same domain name. The Wildcard certificate allows
the webhosting company to give each customer a secure sub domain, such as customer1.webhost.com,
customer2.webhost.com, etc. The same can be applied for organizations wanting to
secure multiple sub domains within the enterprise network.
TLS (Transport Layout Security)
TLS is short for Transport Layer Security. The TLS protocol is designed to one day
supersede the SSL protocol, however at present few organizations use it instead
The procedure that contrasts two levels of system explicitation for appropriate