SSL stands for Secure Sockets Layer. This is a method for hiding the information a web browser and a web server send to each other. When you browse a web site, you have very little privacy. Many people can monitor what you reveal to, or request from, that site. Credit card numbers, personal data, or controversial information are an open book to the technologically sophisticated eavesdropper. SSL was designed to defeat the snoops. An SSL-enhanced browser such as Internet Explorer uses encryption to scramble the data you send to a web site into an unintelligible string of seemingly random characters. A typical transaction is a browser sending the contents of an HTML form to the server. Let's say the form has a field named "cc" to hold the credit card number and we'll look at the difference between unsecured and secure transactions:


Unsecured transaction: The browser knows it's using a normal, unsecured connection. It sends "cc=2783-2734-8372-8737" to the server. The server receives "cc=2783-2734-8372-8737" and gives it to the CGI script that handles this form.

Secure (SSL) Transaction: The browser knows it is using a secure connection for this form. It takes "cc=2783-2734-8372-8737" and turns it into "e$$%0lj*&*(#foij" and sends it to the server. The server receives "e$$%0lj*&*(#foij" and converts it back into "cc=2783-2734-8372-8737" and hands it to the CGI script that handles this form.


The important thing to notice here is that the user and the CGI script never see the encrypted form of the credit card number. You can use the same CGI script and the same HTML form for both secure and unsecured transaction. You may be wondering how the browser knows how to encrypt the data. SSL uses a scheme (actually, a patented algorithm) involving "public" and "private" digital keys. The server gives the browser its public key, which the browser uses to encrypt all transmissions.

The interesting thing about this process is that although the public key is used to encrypt the transmission, it cannot be used to decrypt it. Only the private key will work (Trust us, it really works!). The server uses the private key (which is never sent to anyone) to decrypt the transmissions. Likewise, the browser creates its own public/private key pair for stuff going in the other direction. So, even if someone intercepts the transmission, they cannot make any sense of it, even if they have the public key! In addition to providing privacy, SSL was designed to answer a related question: how do you know you are really communicating with the Web site you intended? After all, someone could be intercepting all transmissions and providing a false public key for which they have the correct private key.


SSL is structured to use "certificates" of identity to authenticate web sites and web surfers. These certificates are "digitally signed" and issued by a trusted third party such as Thawte or VeriSign. Such trusted third parties are know as "Certification Authorities" or CAs. Once a web site has registered with a CA, the browser can ask the CA "Is this the correct public key for this company?" Unfortunately, these certificates are not free, but they are very affordable.

You can purchase SSL certificates and much more at:

For more information: