SSL is a client-server protocol that creates a secure channel over the Internet. SSL is used to validate the identity of the destination server and (optionally) the client, and to encrypt information sent across the Internet between the client and server.
When a client, such as a browser, first sends an HTTPS request to a Web server, it starts a series of message exchanges called the SSL handshake. During the SSL handshake:
Below is an illustration of the SSL handshake.
After the SSL handshake is successfully completed, the browser and Web server continue with the standard HTTP communications in a secure manner.
The following packet capture shows the SSL packets as they are exchanged between the browser, which is the client, and the Web server.
SSL uses Public Key Infrastructure (PKI) to ensure the trustworthiness of the certificates. PKI uses a trusted third party, called a certificate authority (CA) to guarantee the identity of an entity. When a CA verifies an entity’s identity, it uses an algorithm, such as RSA, to generate a public and private key. It gives the private key to the requesting entity, and the public key is made available to the public. To authenticate itself to another party, the entity uses its private key to encrypt its certificate and the other party uses the corresponding public key to decrypt it.
A CA issues certificates in a tree structure, with the root certificate as the top-most certificate. The CA signs the root certificate, which is considered trustworthy in many software applications, such as web browsers. Web browsers have the root certificates of many CAs.
A root certificate can sign and designate a certificate as an intermediate CA certificate, which can sign and designate other certificates as intermediate certificates as well. A certificate chain refers to the list of certificates that complete the chain of trust, from the trusted root CA certificate to any intermediate certificates and the certificate of an entity. Below is an example of a certificate chain.
The certificate of mail.google.com was signed by Google Internet Authority G2.
The certificate of Google Internet Authority G2 was signed by GeoTrust Global CA.
The certificate of GeoTrust Global was signed by Equifax Secure Certificate Authority.
The certificate of GeoTrust Global CA and Equifax Secure Certificate Authority are in the certificate store of the browser.
To read more about how the Zscaler service can protect your organization from the potential misuse of SSL by attackers for malicious activity, see How Zscaler Protects SSL Traffic in About SSL Inspection.