Zend PHP 7 Certification – Security – Secure Socket Layer

This post covers the Secure Socket Layer section of the PHP Security chapter when studying for the Zend PHP 7 Certification.

Secure Socket Layer (SSL) encryption protects data as it is transmitted between client and server.

SSL allows sensitive information such as login credentials to be transmitted securely without being sent in plain text which leaves you vulnerable to eavesdropping. This means that if an attacker is able to intercept all data being sent between a browser and a web server, they’ll be able to see and use that information.

In order for a website to transmit information securely, an SSL certificate is installed on the server. The certificate consists of a public key and a private key. These keys work together to establish an encrypted connection. The certificate also contains a “subject” which is the identity of the certificate/website owner.

To get a certificate, you must create a Certificate Signing Request (CSR) on your server. The CSR is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your company name, domain name, locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

The CSR data file that you send to the CA (which stands for Certificate Authority) contains the public key. The CA uses the CSR data file to create a data structure to match your private key without compromising the key itself. Once you receive the SSL Certificate, you install it on your server.

The steps to summarise how an SSL certificate works can be seen below.

  • The browser connects to a web server (website) secured with SSL (https). The browser requests that the server identify itself.
  • The server then sends a copy of its SSL Certificate, including the server’s public key.
  • The browser checks the certificate root against a list of trusted CAs and that the certificate is valid and therefore the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
  • The server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
  • Server and Browser now encrypt all transmitted data with the session key.

There are many benefits to using SSL Certificates, including the following.

  • Get HTTPs which elicits a stronger Google ranking.
  • Create safer experiences for your customers.
  • Build customer trust and improve conversions.
  • Protect both customer and internal data.
  • Encrypt browser-to-server and server-to-server communication.

View the other sections: