secure socket layer

Developed by Netscape, the protocol has been made into a standard by the World Wide Web Consortium and the Internet Engineering Task Force.

SSL works on the public-and-private key encryption system from RSA. The web server contains a private and public key "signed" by a Certificate Authority like Thawte Consulting. The public key is used to encrypt data, but it can only be decrypted using the private key.

When the web server gets information from your web browser (such as through a form submitting credit card information), the information is encrypted by the web browser using the server's public key. Once this data is encrypted, it can't be decrypted unless the private key is known. This is what makes data transmissions secure.

The strength of an encryption key is determined by the number of bits that it is composed of. Each additional bit raises the number of possible keys by a power of 2, so a 40-bit key (2 ^ 40) has 1099511627776 possibilities. Believe it or not, this can be cracked by some very fast government computers. Imagine if you have a 128-bit key, though! Now there are 340282366920938463463374607431768211456 possible keys!

Strong encryption is available worldwide, but there are limitations on its export from the United States. These antiquated laws are in a state of flux now, but it still holds true that encryption stronger than 40-bits cannot be exported from the United States. Therefore, no matter how strong your key is, Netscape and Internet Explorer clients will be limited to 40-bit keys (yes, they can automatically downscale). Expect Netscape limitations to be lifted when they release the source code worldwide non-U.S. routines will probably be introduced into it by foreign programmers, giving it full compatibility without breaking export laws.

Other sources of information on SSL and encryption:

RSA Labs FAQ

C2Net's Keys and Certificates page

SSLeay and SSLapps FAQ

Please send mail to support@mallorn.com with any questions that you may have.