Indiana University

What are secure web sites and SSL/TLS certificates?

Generally, secure web sites use encryption and authentication standards to protect the confidentiality of web transactions.

Currently, the most commonly used protocol for web security is TLS, or Transport Layer Security. This technology is still commonly referred to as SSL, or Secure Sockets Layer, a predecessor to TLS. In addition to providing security for HTTP (web hypertext) transactions, TLS works with other TCP/IP standards such as IMAP mail and LDAP directory access. For a security standard such as TLS/SSL to work, your browser and the web server must both be configured to use it.

When you connect to a web site using TLS, your browser asks the server to authenticate itself, or confirm its identity. The authentication process uses cryptography to verify that a trusted independent third party, or certificate authority, such as Comodo, Thawte, or VeriSign, has registered and identified the server. TLS can also authenticate connecting users or their computers.

In addition, TLS encrypts the data that you send, and incorporates a mechanism for detecting any alteration in transit, so that eavesdropping on or tampering with web traffic is almost impossible. This is essential for safely transmitting highly confidential information such as credit card numbers.

Nearly all current browsers are set up by default to accept SSL certificates from most established certificate authorities, and to notify you when you are entering or leaving secure sites, including secure areas of comprehensive sites.

For a detailed discussion of the TLS/SSL protocol, see What is TLS/SSL? at Microsoft TechNet. For a general discussion of web security, see the World Wide Web Consortium's World Wide Web Security FAQ.