1

SECTION ONE
INTRODUCTION
1.1

OVERVIEW OF THE STUDY

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link
between a server and a client, typically a web server (website) and a browser; or a mail server
and a mail client (e.g., Outlook). SSL allows sensitive information such as credit card numbers,
social security numbers, and login credentials to be transmitted securely. Normally, data sent
between browsers and web servers is sent in plain text, leaving you vulnerable to eavesdropping.
If an attacker is able to intercept all data being sent between a browser and a web server they can
see and use that information. More specifically, SSL is a security protocol. Protocols describe
how algorithms should be used; in this case, the SSL protocol determines variables of the
encryption for both the link and the data being transmitted
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security
of a message transmission on the Internet. SSL uses a program layer located between the
Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL
is included as part of both the Microsoft and Netscape browsers and most Web server products.
Developed by Netscape, SSL also gained the support of Microsoft and other Internet
client/server developers as well and became the de facto standard until evolving into Transport
Layer Security. The "sockets" part of the term refers to the sockets method of passing data back
and forth between a client and a server program in a network or between program layers in the
same computer. SSL uses the public-and-private key encryption system fro, which also includes
the use of a digital certificate. TLS and SSL are an integral part of most Web browsers (clients)

and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific
Web pages can be identified as requiring SSL access. Any Web server can be enabled by using
Netscape's SSL Ref program library which can be downloaded for noncommercial use or
licensed for commercial use.
One of the most important components of online business is creating a trusted
environment where potential customers feel confident in making purchases. Browsers give visual
cues, such as a lock icon or a green bar, to help visitors know when their connection is secured.
Regardless of where you access the Internet from, the connection between your Web browser and
any other point can be routed through dozens of independent systems. Through snooping,
spoofing, and other forms of Internet eavesdropping, unauthorized people can steal credit card
numbers, PIN numbers, personal data, and other confidential information. As such there is a need
for a secure environment where people can conduct their transactions.

SECTION TWO
REVIEW OF RELATED LITERATURE
2.1

OVERVIEW OF SECURE SOCKET LAYER

According to Ologun 2010, when a client and server communicate, SSL ensures that the
connection is private and secure by providing authentication, encryption, and integrity checks.
Authentication confirms that the server, and optionally the client, is who they say they are.
Encryption through a key-exchange then creates a secure tunnel between the two that prevents
any unauthorized system from reading the data. Integrity checks guarantee that any unauthorized
system cannot modify the encrypted stream without being detected. SSL-enabled clients (such as
a Mozilla or Microsoft Internet Explorer web browser) and SSL-enabled servers (such as
Apache) confirm each others identities using digital certificates. Digital certificates are issued
by trusted third parties called Certificate Authorities (CAs) and provide information about an
individuals claimed identity, as well as their public key. Public keys are a component of publickey cryptographic systems. The sender of a message uses a public key to encrypt data. The
recipient of the message can only decrypt the data with the corresponding private key. Public
keys are known to everybody; private keys are secret and only known to the owner of the
certificate. By validating the CA digital signature on the certificates, both parties can ensure that
an imposter has not intercepted the transmission and provided a false public key for which they
have the correct private key. SSL uses both public-key and symmetric key encryption.
Symmetric key encryption is much faster than public-key encryption, but public-key encryption
provides better authentication techniques. So SSL uses public key cryptography for

authentication and for exchanging the symmetric keys that are used later for bulk data
encryption. The secure tunnel that SSL creates is an encrypted connection that ensures that all
information sent between an SSL-enabled client and an SSL-enabled server remains private. SSL
also provides a mechanism for detecting if someone has altered the data in transit. This is done
with the help of message integrity checks. These message integrity checks ensure that the
connection is reliable. If, at any point during a transmission, SSL detects that a connection is not
secure, it terminates the connection and the client and server establish a new secure connection
(Isaac, 2009).
2.2

SECURE SOCKET LAYER (SSL) AND PEOPLES VIEW

The NSA has for years been capturing and storing almost everything imaginable, including
massive amounts of data exchanged among Americans who are not suspected of any crime
(Johnbull, 2012). Although SSL is one of the most common methods of encryption on the
Internet, it is by no means the only one. Systems that employ longer encryption keys than SSL's,
for example, will prove tougher for the NSA to crack. Even so, better encryption will only hold
out for so long, Kocher argued. "Cryptographic improvements may rein in some of the most
indiscriminate collection of data, but the horrible state of endpoint security will prevent this from
making much of a difference for end users on the Web," Kocher said. SSL, he explained, requires
security certificates at both ends of the equation. Both user- and server-side systems need to
verify that information is secure. However, through NSA programs like PRISM, the government
can access information from organizations like Google and Microsoft anyway. Data that is
encrypted en route does little good when it arrives at its endpoint and goes into the NSA's hands.
(Kocher 2009) also pointed out that cyber security in the United States does not exist in a

vacuum. The NSA is hardly the only government organization that wants your data, or has the
means to acquire it. "The spying problem doesn't end with the NSA," he said. "Every intelligence
agency worldwide wants the same material, and now they're all going to be benchmarked against
NSA's known powers. There will be a huge pressure to catch up to NSA, and where this leads is
not pretty."
2.3

THE BLUE COAT SYSTEMS SSL TRAFFIC SOLUTIONS

Wallace 2013, the Blue Coat ProxySG solves a number of SSL related issues. Depending on your
needs, you can use the ProxySG as an SSL forward proxy for securing outbound traffic, an SSL
proxy for wide area network (WAN) optimization, or an HTTPS reverse proxy for web server
acceleration. Blue Coat appliances use patented technology to detect, inspect, optimize, and
accelerate all web traffic and SSL/TLS based applications. Unlike other solutions, administrators
have the flexibility to choose the optimization and acceleration techniques for their enterprise
depending on their security policies. Blue Coat appliances use patented software techniques and
hardware acceleration to optimize encryption algorithms and reduce SSL/TLS handshakes over
the WAN. This significantly improves user experience, improves overall productivity, and
increases performance of servers in the data center. In addition, administrators can reduce latency
and improve bandwidth by securely reducing and limiting redundant patterns of traffic, anywhere
from the byte/packet level up to the application level, or even both when configured. Security
policies and acceleration and optimization techniques can be granularly applied (or not applied)
based on users or departments, source or destination, application or content, or all of the above.
2.4

TRANSPORT AND SECURE SOCKET LAYER SECURITY

Francis 2013, Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL),
are cryptographic protocols which are designed to provide communication security over the

Internet. They use X.509 certificates and hence asymmetric cryptography to assure the
counterparty with whom they are communicating, and to exchange a symmetric key. This session
key is then used to encrypt data flowing between the parties. This allows for data/message
confidentiality and message authentication codes for message integrity and as a by-product,
message authentication. Several versions of the protocols are in widespread use in applications
such as web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP
(VoIP). An important property in this context is forward secrecy, so the short term session key
cannot be derived from the long term asymmetric secret key.
Moses 2014, as a consequence of choosing X.509 certificates, certificate authorities and a
public key infrastructure are necessary to verify the relation between a certificate and its owner,
as well as to generate, sign, and administer the validity of certificates. While this can be more
beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures
made it more widely known that certificate authorities are a weak point from a security
standpoint, allowing man-in-the-middle attacks. In the TCP/IP model view, TLS and SSL encrypt
the data of network connections at a lower sub layer of its application layer. In OSI model
equivalences, TLS/SSL is initialized at layer 5 (the session layer) then works at layer 6 (the
presentation layer): first the session layer has a handshake using an asymmetric cipher in order to
establish cipher settings and a shared key for that session; then the presentation layer encrypts
the rest of the communication using a symmetric cipher and that session key. In both models,
TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted
data.

2.5

SSL CRYPTO ALGORITHMS

George 2012, SSL supports a variety of different cryptographic algorithms, or ciphers, that it
uses for authentication, transmission of certificates, and establishing session keys. SSL-enabled
devices can be configured to support different sets of ciphers, called cipher suites. If an SSLenabled client and an SSL-enabled server support multiple cipher suites, the client and server
negotiate which cipher suites they use to provide the strongest possible security supported by
both parties. A cipher suite specifies and controls the various cryptographic algorithms used
during the SSL handshake and the data transfer phases. Specifically, a cipher suite provides the
following:
--> Key exchange algorithm: The asymmetric key algorithm used to exchange the symmetric
key. RSA and Diffie Hellman are common examples.
--> Public key algorithm: The asymmetric key algorithm used for authentication. This decides
the type of certificates used. RSA and DSA are common examples.
--> Bulk encryption algorithm: The symmetric algorithm used for encrypting data. RC4, AES,
and Triple-DES are common examples.
--> Message digest algorithm: The algorithm used to perform integrity checks. MD5 and SHA-1
are common examples.
2.6

SECURE SOCKET LAYER 3.0

According to Stella 2011, SSL 3.0 improved upon SSL 2.0 by adding SHA-1 based ciphers and
support for certificate authentication. From a security standpoint, SSL 3.0 should be considered
less desirable than TLS 1.0. The SSL 3.0 cipher suites have a weaker key derivation process; half

of the master key that is established is fully dependent on the MD5 hash function, which is not
resistant to collisions and is, therefore, not considered secure. Under TLS 1.0, the master key that
is established depends on both MD5 and SHA-1 so its derivation process is not currently
considered weak. It is for this reason that SSL 3.0 implementations cannot be validated under
FIPS 140-2.
Anthonia 2013, there are some attacks against the implementation rather than the
protocol itself: In the earlier implementations, some CAs did not explicitly set basic Constraints
CA=FALSE for leaf nodes. As a result, these leaf nodes could sign rogue certificates. In addition,
some early software (including IE6 and Konqueror) did not check this field altogether. This can
be exploited for man-in-the-middle attack on all potential SSL connections. Some
implementations (including older versions of Microsoft Cryptographic API, Network Security
Services and GnuTLS) stop reading any characters that follow the null character in the name
field of the certificate, which can be exploited to fool the client into reading the certificate as if it
were one that came from the authentic site. (e.g., PayPal.com\0.badguy.com would be mistaken
as the site of PayPal.com rather than badguy.com.) Browsers implemented SSL/TLS protocol
version fallback mechanisms for compatibility reasons. The protection offered by the SSL/TLS
protocols against a downgrade to a previous version by an active man-in-the-middle attack can
be rendered useless by such mechanisms.

2.7

HOW THE SSL CERTIFICATE CREATE A SECURE CONNECTION

When a browser attempts to access a website that is secured by SSL, the browser and the web
server establish an SSL connection using a process called an SSL Handshake (see diagram

below). Note that the SSL Handshake is invisible to the user and happens instantaneously.
Essentially, three keys are used to set up the SSL connection: the public, private, and session
keys. Anything encrypted with the public key can only be decrypted with the private key, and
vice versa. Because encrypting and decrypting with private and public key takes a lot of
processing power, they are only used during the SSL Handshake to create a symmetric session
key. After the secure connection is made, the session key is used to encrypt all transmitted data
(Lydia, 2007).
1. Browser connects to a web server (website) secured with SSL (https). Browser requests
that the server identify itself.
2. Server sends a copy of its SSL Certificate, including the servers public key.
3. Browser checks the certificate root against a list of trusted CAs and that the certificate is
unexpired, unrevoked, and that its common name is valid for the website that it is
connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a
symmetric session key using the servers public key.
4. Server decrypts the symmetric session key using its private key and sends back an
acknowledgement encrypted with the session key to start the encrypted session.
5. Server and Browser now encrypt all transmitted data with the session key.
2.8

SECURE SOCKET LAYER TRANSACTION

Daniel 2007, the handshake begins when a client connects to an SSL-enabled server, requests a
secure connection, and presents a list of supported ciphers and versions.

10

From this list, the server picks the strongest cipher and hash function that it also supports
and notifies the client of the decision. Additionally, the server sends back its identification in the
form of a digital certificate. The certificate usually contains the server name, the trusted
certificate authority (CA), and the servers public encryption key. The server may require client
authentication via a signed certificate as well (required for some on-line banking operations);
however, many organizations choose not to widely deploy client-side certificates due to the
overhead involved in managing a public key infrastructure (PKI).
The client verifies that the certificate is valid and that a Certificate Authority (CA) listed
in the clients list of trusted CAs issued it. These CA certificates are typically locally configured.
If it determines that the certificate is valid, the client generates a master secret, encrypts it
with the servers public key, and sends the result to the server. When the server receives the
master secret, it decrypts it with its private key. Only the server can decrypt it using its private
key.
The client and server then convert the master secret to a set of symmetric keys called a
key ring or the session keys. These symmetric keys are common keys that the server and browser
can use to encrypt and decrypt data. This is the one fact that makes the keys hidden from third
parties, since only the server and the client have access to the private keys.
This concludes the handshake and begins the secured connection allowing the bulk data
transfer, which is encrypted and decrypted with the keys until the connection closes. If any one
of the above steps fails, the SSL handshake fails, and the connection is not created. Though the
authentication and encryption process may seem rather involved, it happens in less than a
second. Generally, the user does not even know it is taking place. However, the user is able to tell
when the secure tunnel has been established since most SSL-enabled web browsers display a

11

small closed lock at the bottom (or top) of their screen when the connection is secure. Users can
also identify secure web sites by looking at the web site address; a secure web sites address
begins with https rather than the usual http.
2.9

HOW IS INFORMATION TRANSFERRED ACROSS THE INTERNET

For information to be transferred over the internet, several actions must take place. First, every
computer on the internet must be communicating in the same language. Internet Protocol (IP) is
probably the most common type of network in existence today.

On an IP network, each

connected computer is given an address called an IP address. This is used to identify each
computer uniquely on a network. These IP addresses are expressed as a series of decimal
numbers that are linked to text names by using the Domain Name System (DNS). This enables
you to remember the name of a target such as www.CNN.com instead of 127.24.102.2 for
example. Once your source and target are identified your message or information is broken into
small segments of information called packets. According to the website How Stuff Works.com
Each packet carries the information that will help it get to its destination -- the sender's IP
address, the intended receiver's IP address, something that tells the network how many packets
this message has been broken into and the number of this particular packet. Each packet
contains a portion of the message or information that is being sent. These packets are sent out
using routers which direct the packets across the networks to the destination. Once all of the
packets arrive at the destination they are reassembled into the original message format.

12

SECTION THREE
DISCUSSION AND EVALUATIONS
3.1

ENABLING TECHNOLOGIES
Internet

The Internet is a global collection of many types of computers and computer networks that are
linked together. It is increasingly becoming the solution to much information, problems,
information exchange, and marketing (Camillus et al, 2007), describes the Internet as a mixture
of many services with the two most commonly used being electronic mail (e-mail for short) and
the World Wide Web (www). It plays a significant role in education, health, political processes,
agriculture, economy, businesses and newsgroups. It is a fact that with Internet connectivity, one
can do business all over the world without physical contact with the buyer or the need for a
business intermediary.
E-mail
Electronic mail (e-mail) is the exchange of text messages and computer files transmitted via
communications networks such as the Internet. The e-mail system is seen as the equivalent of
postal mailing services, with the biggest difference being the time and cost involved. And not
only written data, but all sorts of information in the form of video, audio, or photographs, can be
sent via e-mail.

The Server

Finally, agents run on servers, such as databases, groupware servers, and virtually any other
system of interest. The Java virtual machine is omnipresent on such systems and in many cases is

13

already supporting local access to their services. To such a server, Mobile Agents are simply
another standard client. When coupled to the power of the Mobile Agent network, an entirely
different, more powerful system is created without impacting the server at all.
3.2

HOW SECURE SOCKETS LAYER WORKS

Secure Sockets Layer works in four stages. The first action that takes place is the SSL

request. Next, the SSL handshake takes place. Then the information is securely transferred.
Finally the connection is terminated. Several actions may take place during each stage.
During the SSL request stage, the client or requestor requests a secure communication
link between it and the computer acting as the server or target. This is accomplished by making
a communication request on port 443. Normally, unsecure communication takes place on port 80
for TCP/IP networks. Port 443 is designated exclusively for secure or HTTPS connections.
Once the SSL request has been made the SSL Handshake takes place. This is the most
important step in establishing a secure connection. At this point, the client and server exchange
the applicable digital certificates. In some SSL transactions both the client and server are
required to have digital certificates, but this is not common in most commercial transactions over
the internet. This information is then checked against the appropriate Certificate Authority, such
as VeriSign or another trusted CA, for identity of the owner and expiration date of the
certificate. Additionally, the client will notify the server of all of the possible encryption
algorithms that it can support. Once this is done, the client and server will mutually agree to use
the highest level encryption algorithm that they both support. Once this common encryption
algorithm is established, the client will randomly generate a code called a pre-master secret that
is encrypted using the servers public key. The server then uses its private key to decode the pre-

14

master secret. Both the client and the server mutually use the pre-master secret to create a master
secret which ultimately is used to create another set of symmetric keys written in the agreed upon
encryption algorithm. Symmetric keys are the same for both the encryptor and decryptor. This
set of keys is referred to as the cipher keys or session keys. These session keys are randomly
generated and are only valid during the established session between the client and the server.
Once the connection is broken or times-out, the session keys are no longer usable.

The

symmetric session key is encrypted by the client using the servers public key and sends it to the
client. This ensures that the only entity that can decrypt the session key is the server. The client
and server then send messages to each other encrypted with the session key stating that all future
transmissions will be sent using the session keys and that their respective handshake
communications are complete. This completes the SSL handshake and now information can be
safely transferred from one computer to the other using the session key. Additionally, for the
purpose of authentication, the server may be required to send a message to the client using the
session key and then encrypt it with his or her private key. This message can be decrypted by the
client using the servers public key which will serve as a digital signature for the message
ensuring that the message is authentic and then use the session key to decrypt the message itself
to view its contents.
After the SSL handshake has taken place, the transmission of secure data can take place. All
communications between client and server must be made using the session key once the SSL
handshake has taken place. When the transaction is completed, or the client is directed to a
location outside of the secure link, he or she will be notified that they are leaving a secure
connection and asked if they wish to cancel or continue the operation.

15

A typical SSL transaction may follow the sequence of events illustrated in the following
example.

In an ecommerce transaction, the buyers computer would make the request to

establish the secure connection between it and the sellers website. The sellers computer would
then reveal its digital certificate along with its public key information to the buyers computer.
After the digital signature has been verified by the buyers computer, the buyers computer
notifies the seller of all of the encryption algorithms that it can support. Both the buyer and
seller computers then mutually agree upon the algorithms to be used during the session. Next,
the buyers computer randomly generates a pre-master secret code which it encrypts and sends to
the sellers computer. From this pre-master secret the buyer and sellers computers mutually
establish a set of symmetric session keys (both encryption and decryption keys are the same) to
be used for the transaction and encrypts them with the sellers public key. The buyers computer
then receives the encrypted message and decodes it using his private key. Now both the buyer
and the seller know the session keys, but nobody else does since the transmission of the session
keys itself was encrypted. Then the sellers computer sends a message using the session key and
encrypts it using his or her private key. This will digitally sign the message. The buyers
computer then receives the message and decrypts it using the sellers public key. This will show
that the message is authentic because it was signed by the buyer. The buyers computer then
sends a message back to the seller using the session key and the sellers public key verifying the
validity of the session keys and ending the handshake session. Now all communications between
the buyer and the seller will take place using the session keys to encode and decode the message
and the sellers public and private keys to authenticate the message. Now the buyer can securely
send the seller his or her personal information such as bank account or credit card number and
address.

16

3.3

ADVANTAGES OF USING A SECURE SOCKET LAYER

SSL Certificates, (secure socket layer) security is a must have for any online ecommerce website
or any site which that wishes to accept payments. SSL certificates are a massive benefit to your
website and your visiting customers. Gaining their confidence is very important and if you wish
to be successful online. In this article we will be highlighting some of a SSL certificates benefits
not only to you but to your customers as well. If you have an online business such as an online
store it is most likely that you have head or SSL. A SSL certificate is an online security
encryption method used to keep data transferred on your site by your customers secure. SSL
certificates also give instant security and peace of mind to your customers as your site will show
that it is secure either by displaying a padlock or a green address bar. We thought we would list
some of the main benefits that come with purchasing a SSL certificate and how it helps with the
protection on your website.

Server Authentication
SSL certificates will keep you and your site protected and not just your customers. To work your
website will use something called a server where all your information and details about your site
are kept online and therefore you will need something called a digital certificate. When you
purchase a SSL certificate you will be provided with a one of these certificates. Your customers
and visitors to your site will then be able to read them. Digital Certificates are obtained from
trusted third parties known as Certificate Authorities that can guarantee the encryption of your
website. The certificate is proof that the server is what it says it is and you are who you say you
are. SSL certificates will make it almost impossible for online fraudsters to pretend to be another
server on your website, making your customers feel safe and want to use your site again.

17

Private Communication
One of the main functions of using SSL protection on your site is that it makes transaction
conversations private. SSL certificates encrypt any data used on your site, such as credit or debit
card numbers, PayPal details, login details into unreadable pieces of information. SSL
certificates will then add random numbers and digits to that information making it impossible to
determine any details of value. Once your information has been transformed into a mass of
characters, to enable the recipient of the information to transform it back to a readable format the
website owner will have a encryption key that will allow them to decode the messages. Fear not
if the information does fall into the wrong hands all the information will be useless.

Customer Confidence
Customer confidence is perhaps the main reason why you need to have a SSL certificate in place
on your website. It will allow customers to see and verify that you are taking the protection of
their personal information seriously. Of course the average Joe shopping online will notice if a
site has a SSL or for that matter what a SSL certificate is! This is why it is important to show and
make a point of placing your SSL certificate icon on your site. Also another idea to inform your
customers that you are using a SSL to keep your site secure is to place the information in your
site disclaimer or T&Cs or take advantage of a certificate that has a Site Seal you can
prominently display.

18

Customers will also benefit from SSL

When looking for a secure website or online company to spend your hard earned cash on, it is
important for visitors to your site to favour yours over your competition. Websites with SSL
certification will protect any of your customers personal payment information safe and secure.
As a visitor to your site, one of the key things that will go through your head is if the site is safe
to use and you will want to know that your personal information is as safe as it can be. By
looking out for the SSL certificate you will know that the site you are using is safe and the online
company you are using is safe and reputable company, and all your details will be safe and
secure. An SSL certificate will not completely protect you from identity theft. You have to play
your part in being careful where you submit your information. But. Websites that use SSL
significantly reduce the likelihood of any of your information falling into the wrong hands. It is
important that we all play our part in keeping our details secure, and being careful where we
shop online. Unfortunately today there are people are out there whose only intent online is to
steal your information.

Avoid Disputes Due to Credit Card Fraud

If a customer submits his credit card information on your unprotected server and then
experiences identity theft, the first place he will likely suspect is your website. Even if your
website is not the source of the issue, you still may have to deal with a lengthy and involved
dispute process with the customer and his credit card company. If your website has SSL
technology, you are less likely to deal with these types of claims from customer.

19

3.4

DISADVANTAGES OF SECURE SOCKET LAYER

Regular Renewal

Like a website domain and hosting plan, an SSL certificate expires after a short period of time,
usually one to five years. You have to renew the SSL protection regularly and pay the
subscription price again forever in order to keep the protection. If you forget to renew the SSL
protection, your website will display an error on the user's computer stating that the certificate is
not valid.

Complex Installation

SSL technology can be difficult to install on a website, especially for someone who isn't very
familiar with website development. The provider will send you a set of files to install in a certain
folder of your web server. You must also activate the certificate using specific instructions from
the provider. The process can be overwhelming for a beginner, and some trial-and-error may be
required to get the technology to work properly on your website.
3.5

FUTURE PROSPECTS OF SECURE SOCKET LAYER

One of the creators of Secure Socket Layer (SSL) encryption believes that the future of Internet
security will see everyday users getting the short end of the stick. The United States' National
Security Agency (NSA) has likely compromised SSL, one of the foremost methods of Internet
encryption. In theory, this gives the organization access to everything from email records to
online shopping history for almost all Americans, regardless of whether they are under any kind
of governmental suspicion. SSL is a common method of encrypting sensitive data online.

20

Suppose you buy an item online. You enter your credit card information to pay, and the store
receives your credit card information in order to charge you. Protocols like SSL ensure that while
the data is en route from you to the vendor, all of your information is encrypted and inaccessible
to malicious third parties. Although cracking SSL encryption is a relatively new advancement,
Paul Kocher, president of Cryptography Research, Inc., and one of the minds behind SSL, says
that collecting information is nothing new. He believes the NSA has been working for some time
to collect as much data as possible from people who would ordinarily be above suspicion.

21

SECTION FOUR
CONCLUSION
We have discussed the meaning of Secure Socket Layer. We have highlighted the advantages and
the disadvantages of using the technology especially in our online business transactions and
concluded by offering some suggestions on how we can improve on the shortcomings of Secure
Socket Layer. SSL has become the universal standard for authenticating web sites to web
browsers, and for encrypting communications between web browsers and web servers. However,
SSL poses a security threat, is CPU-intensive, and degrades web server performance, so
organizations have typically deployed SSL in a limited fashion. Delivering applications over
long, skinny WAN pipelines is no easy feat, and the presence of impenetrable SSL tunnels has
made it impossible to secure and accelerate a growing part of that traffic. By integrating SSL
processing with its appliances, Blue Coat Systems has eliminated the bottlenecks that served as
barriers to widespread implementations of SSL. Companies can now apply SSL to more content
without compromising network security or degrading the performance of their web sites.

22

ABSTRACT
Secure Socket Layer is a cryptographic protocol designed to provide communication security
over the internet. SSL allows sensitive information such as credit card numbers, social security
numbers, and login credentials to be transmitted securely. Normally, data sent between browsers
and web servers is sent in plain text leaving you vulnerable to eavesdropping. If an attacker is
able to intercept all data being sent between a browser and a web server they can see and use that
information. Secure Socket Layer offers many services to web browsers such as; server
authentication, private communication, data encryption, customer confidence, many security
issues and avoids dispute over credit card fraud. But like many upcoming technologies, Secure
Socket Layer is not without its shortcomings; ensuring data integrity, securing traffic over the
communication channel, authenticating the client and the server to each other are some of the
challenges facing this technology. This seminar work explored many issues concerning this
technology; it highlighted the advantages and the disadvantages of using the technology and
suggested solutions on how to improve on the shortcomings.

23

REFERENCES
Anthonia (2013). Apple issues huge software security patches. London: Eucalypso Publication

Ltd.
Daniel (2007). Crack in Internet's foundation of trust allows HTTPS session hijacking.
Francis (2013). The Transport Layer Security (TLS) Protocol, Version 1.2. Lagos: Ferguson
Company Nigeria Limited.
George (2012). A Web Services Choreography Scenario for Interoperating Bioinformatics
Applications. Lagos: Galaxy Publishers.
Isaac (2009). The Worm Exploits Vulnerabilities in the Microsoft Internet Information Server IIS.
New York City: Spring Press Limited
Johnbull (2012). Process Composition of Web Services with Complex Conversation Protocols,
Enugu: The Free Press Limited
Kocher (2009). SSL Basics for Internet Users. Enugu: Green Light Computers.
Lydia (2007). The impacts of Electronic Business in Our Society. London: George Allen and
Unwin Ltd
Moses (2014). Common browsers/libraries/servers and the associated cipher suites
implemented. Ibadan. Welsh Port
Publication.
Ologun (2010). Secure Sockets Layer is Not a Magic Bullet.London. Journal of Economic
Perspective, vol 14.
Stella (2011). Multics International Security Evaluation and Vulnerability Analysis principles.
Lagos: Red Moon Publication.
Wallace (2013). Information Communication Technology and Business Performance.
London: Oxford university press.