I have looked all over, and I can't seem to find any quality articles on SSL.
Could some one please tell me exactly how SSL is supposed to make things more secure? How would I use SSL?
The most information I could really find (up to the 8th page in google and going through the web of affiliates some sites have) is that you should use SSL for securing things like credit card numbers. I don't know how it works at all.
You know, I've had the same problems finding the information, but it really changes nothing in terms of PHP. Look for general articles on setting up SSL and getting a certificate from a recognised ceritifer, and then you'll simply have either a new FTP, or a separate directory on your FTP which is for the secure files, so then you'll have the HTTP version and HTTPS.
Therefore when you want to use the secure SSL, link to the files on the HTTPS. The only real difference in terms of PHP is that you'll want to check for the protocol being used - HTTP or HTTPS. This prevents secure pages being used without the secure protocol.
As SSL is quite expensive in terms of the bandwidth being utilised to first setting up a encryption system, a lot of websites load the main chuck of the page in HTTP and then embed the login boxes in HTTPS. If you remember, there used to be a warning in Internet Explorer, and still is, where it informs you that there are both secure and insecure elements on the page. That happens for that very reason because of HTTP and HTTPS on one page.
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
Addendum: Alan's post is better than mine, though slightly less general in description.
SSL is a communication protocol similar in nature to HTTP, hence why it is HTTPS. SSL stands for: Secure Socket Layer. Without getting too technical, the basics of SSL are these:
All communication is encrypted
When negotiating a connection, systems agree on encryption.
As data passes through the encryption codes rotate.
The connection ends, and the session is disposed.
Obviously there is a great deal more behind this technology, but SSL is a very potent security package. SSL1 has a few problems now due to age, but it is still better than plain HTTP. SSL2, on the other hand, requires someone to "tap" your datastream from the beginning for them to have any chance to spy on you.
It doesn't do anything more than make the transport of the data between server and client secure through encryption.
__________________ Programmers are in a race with the Universe to create bigger and better idiot-proof programs, while the Universe is trying to create bigger and better idiots. So far the Universe is winning. - Rich Cook
Last edited by RobertK : 01-15-2008 at 01:59 PM.
Reason: Didn't see Alan's post.
Trying to explain the SSL browser<->server process is complicated but I've taken a stab at it It's a bit of a ramble but hopefully makes sense.
Note: For those unsure of public/private keys, think of them as very long passwords :)
Web browser sends the web server some basic SSL info such as what encyrption types it can support
Server replies with its own SSL info including it's security certificate and public key
Web browser checks the certificate is valid and came from the correct domain
Web browser now creates a private key that it combines with the servers public key and sends back to the server.
Web browser and the Server now create yet another key - the "master" key - this will be used from now on (until the end of the session) to encrypt/decyrpt the requests
The web browser confirms to the web server that it's ready to start sending encyrpted data and the Server confirms to the web browser that it is also ready.
All data is now encrypted by the web browser before being sent to the web server and the server encrypts all data (ie, web pages) before sending them back to the web browser.
As Wildhoney mentioned, none of this really matters in PHP - all you have to do is make sure your script is being accessed by https:// rather than http:// and that the web server supports SSL.
Edit: And the reason for using SSL to send things like credit card numbers is so that no-one can perform a "man in the middle" attack - basicly someone records all info sent between you and the server. If the credit card number was sent un-encrypted then they would see it in plain text - which would be bad