Question:
How does SSL work?
?
2016-05-03 14:53:09 UTC
I've set up certificates before on our servers but didn't really know what I was doing.

Now I'm working with a product where we sell the product to customers and ship it to them. The product runs a REST API.

Now, apparently we connect to this thing using HTTPS. How does that work? Like these things have a random IP and don't use DNS. You can have SSL in that environment? They just send our server their IP, and then we later use this to POST/GET to their API using SSL.

Am I maybe messed up because I'm thinking about web browsers? Do only web browsers require the kind of verification that I think is required?

Thanks.
Three answers:
Tracy L
2016-05-03 16:05:58 UTC
Would you, as a customer, accept a connection to a "self signed" SSL certificate and "add the exception" to your computer so you could use it if all you wanted was to buy a product or would you shop elsewhere?



Most users will go someplace which is setup properly to do E-commerce. The SSL between your server and the API server is not the issue that SSL is on your API and only happens between your server and the other service the API uses.

SSL certs are based on a STATIC IP that has a verified owner and contact information supplied to a TRUSTED certificate supplier. Thus the "trusted connection". A self signed certificate does not assure the USER any basis of trust.
2016-05-03 15:17:21 UTC
SSL works by comparing a Server's Public key against its Private key...



Public Key is what the Browsers or Client receive once they touch your Server

Private Key stays on the Server and is not seen by Browsers or Client... Server will encrypted every packet based on this Private Key.



SSL doesn't work against IP Address... Only Actual Servers.. that system itself.

A Server can create as many "Self Signed" Certificates as it needs

No... Web Browsers aren't the only Clients to use SSL Certs. Ever secure Client can use a SSL Cert.



If you don't want some perpetrator collecting your packets un-encrypted... so its best to Encode that Data with a SSL Certificate.



so that POST/GET application your using is actually belongs to HTTP port 80... because your using Encryption it uses HTTPS which uses port 443 to encrypt HTTP request via POST/GET



Update *** Using a "Self Signed" Certificate will always warn Browsers that this Connection isn't that Secured because the Browser can't Verify the Certificate... by Default the browser will not display the webpage unless you make an exception...



If you want the Browsers to Accept the HTTPS Certificate you will have to purchase a "verified Signed" certificate from a SSL Company online... like VeriSign, SSLshopper, Commodo, digicerts... etc.. many to choose from all at different price range.



For an API you do not need this... Only for Webrowsers itself as to protect to users because any Server/System can create their own Self Signed Certs... THe Icon in the Address bar with the Lock on it shows that your on a secured HTTPS connection... if this was a Self Signed it would be Red and opened.



A Self Signed gives you the same Encryption protection as a Verified Signed but Verified Signed offers Insurance if you get Hacked while using their SSL Cert.
Biren
2016-05-03 23:56:40 UTC
Tips : How SSL certificate Works...



(1) The browser tries to connect that SSL encrypted website.

(2) Then browser asks the web server to identify itself.

(3) For identification, the servers sends SSL Certificate’s copy to the browser.

(4) Now the browser analyze the certificate verify whether to trust it or not.

(5) If the browser trusts the certificate, it gives a message to the server

(6) After that, to start the SSL encrypted session, the server sends back a digitally signed acknowledgement to the browser.

(7) Now the Data shared between browser and server is being encrypted and HTTPS appears.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...