SSL – Key points

https is http with encryption.

https uses TLS (SSL) to encrypt normal http requests and responses. As a result, https is far more secure than HTTP.

Types of SSL Certificates

1. Single-domain: A single-domain SSL certificate applies to only one domain (a “domain” is the name of a website, like www.cloudflare.com).

   

2. Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to only one domain. However, it also includes that domain’s subdomains. For example, a wildcard certificate could cover www.cloudflare.com, blog.cloudflare.com, and developers.cloudflare.com, while a single-domain certificate could only cover the first.

   

3. Multi-domain (SAN): As the name indicates, multi-domain SSL certificates can apply to multiple unrelated domains.

   

   Reference and image credit: cloudfare.com

Types of SSL Authentication

1. One-way SSL / Server Certificate Authentication: In one-way SSL authentication (Server Certificate Authentication), only the client validates the server; the server does not verify the client application.

   

2. Two-way SSL / Client Authentication: In two-way SSL authentication, the client application verifies the identity of the server application, and then the server application verifies the identity of the client application. Both parties share their public certificates, and then validation is performed

   

SSL methods in load balancers

1. SSL passthrough:
   1. Load balancer passes the traffic from client to servers absolving itself from any SSL related workload.

      

2. SSL termination ( SSL offloading ) :
   1. Client traffic to load balancer is sent as encrypted
   2. Instead of the server decrypting and re-encrypting the traffic, the load balancer would handle that part.
   3. The return communication from the server to client is encrypted by the load balancer and sent back to the client.

      

3. SSL bridging (Full SSL Proxy / SSL Re-Encryption / SSL Bridging)
   1. When a client sends the encrypted data via HTTPS to the load balancer, it decrypts the data.
   2. The load balancer performs deep-packet inspection for all the HTTPS traffic, and if it finds anything suspicious, it blocks such content.
   3. After that, instead of sending the plaintext data to the server, the load balancer re-writes and re-encrypts the information and forwards it to the server.

      

      Reference and image credit: F5

Server Name Indication (SNI)

1. Use Case: Multiple websites are hosted on one server.
2. Problem: When using HTTPs for communication. Client / browser requires a digital certificate. So which ssl certificate should the server send? This is because the SSL/TLS handshake occurs before the client device indicates over HTTP which website it’s connecting to.
3. Solution before SNI: Each website uses an IP address. So if 3 websites are hosted on a server, then we need 3 IPs.

   

4. How SNI solves problem Browsers that support SNI will immediately communicate the name of the website the visitor wants to connect to, during the initialization of the secured connection, so that the server knows which certificate to send back.

   

   So if 3 websites are hosted on a server, we no longer need 3 IPs. One ip address is sufficient.

   

   Reference and Image credits: https://www.ssls.com/knowledgebase/what-is-sni-technology https://www.ssls.com/knowledgebase/what-is-sni-technology/

Certificate Authority