To whom do you give your information? | How does SSL protect our info

The purpose of authentication is to identify who you are, and then based on the identity you are authorized to perform some activity under some data. Authentication can be implemented in multiple ways.

  • HTTP authentication, which is a good solution only if you sending insensitive data

  • Forms authentication, which is a good solution if your application is self-contained (not suited for public REST endpoints)

  • Token-based authentication (for public REST endpoints)

All of these ways are not secure enough if they don’t use SSL & HTTPS, which are used to improve the overall security of your application.

With HTTP you are exposing your data on a silver platter, which is not the case with HTTPS.

How SSL works? For example, we have a client (browser) and a server (which host our application).

  • The client is trying to reach application by sending HTTPS request.
  • Our application is aware of the certificate that we are using and the server is sending back the copy of that certificate with the public key to our client.
  • The client verifies the SSL and the certificate that he received. It verifies that it was issued by a trusted authority, that our application is who it claims it is and if everything is ok the browser creates the session key and sends it back to our app. That key will be used to encrypt all the data that are sent between client and server.
  • The browser displays a red or green label in order to inform the user about the security of the website.

The operating system has a list of trusted authorities that issues certificates, so that is how the browser knew how to display that green or red label.

HTTP is a combination of HTTP and SSL security layer. It delivers data securely between endpoints. The SSL certificate encrypts the information that users supply to the site, which basically translates the data into a code. Even if someone manages to steal the data being communicated between the sender and the recipient, they would not be able to understand it due to this encryption.

SSL is mandatory for any web applications, regardless of the chosen security configuration.