View Single Post
01-15-2008, 01:57 PM
Alan @ CIT
Member of the Month
Join Date: Apr 2005
Location: South UK
Trying to explain the SSL browser<->server process is complicated but I've taken a stab at it
It's a bit of a ramble but hopefully makes sense.
Note: For those unsure of public/private keys, think of them as very long passwords :)
Web browser sends the web server some basic SSL info such as what encyrption types it can support
Server replies with its own SSL info including it's security certificate and public key
Web browser checks the certificate is valid and came from the correct domain
Web browser now creates a private key that it combines with the servers public key and sends back to the server.
Web browser and the Server now create yet another key - the "master" key - this will be used from now on (until the end of the session) to encrypt/decyrpt the requests
The web browser confirms to the web server that it's ready to start sending encyrpted data and the Server confirms to the web browser that it is also ready.
All data is now encrypted by the web browser before being sent to the web server and the server encrypts all data (ie, web pages) before sending them back to the web browser.
As Wildhoney mentioned, none of this really matters in PHP - all you have to do is make sure your script is being accessed by https:// rather than http:// and that the web server supports SSL.
And the reason for using SSL to send things like credit card numbers is so that no-one can perform a "man in the middle" attack - basicly someone records all info sent between you and the server. If the credit card number was sent un-encrypted then they would see it in plain text - which would be bad
Alan @ CIT
View Public Profile
Send a private message to Alan @ CIT
Find More Posts by Alan @ CIT