Contents

What is SSL and SSL Offloading

Website Visitors:

What is ssl?

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.

More specifically, SSL is a security protocol. Protocols describe how algorithms should be used; in this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

SSL secures millions of peoples’ data on the Internet every day, especially during online transactions or when transmitting confidential information. Internet users have come to associate their online security with the lock icon that comes with an SSL-secured website or green address bar that comes with an extended validation SSL-secured website. SSL-secured websites also begin with https rather than http.

Where Do Certificates Come In?

All browsers have the capability to interact with secured web servers using the SSL protocol. However, the browser and the server need what is called an SSL Certificate to be able to establish a secure connection.

What is an SSL Certificate and How Does it Work?

SSL Certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.

To get a certificate, you must create a Certificate Signing Request (CSR) on your server. This process creates a private key and public key on your server. The CSR data file that you send to the SSL Certificate issuer (called a Certificate Authority or CA) contains the public key. The CA uses the CSR data file to create a data structure to match your private key without compromising the key itself. The CA never sees the private key.

Once you receive the SSL Certificate, you install it on your server. You also install an intermediate certificate that establishes the credibility of your SSL Certificate by tying it to your CA’s root certificate. The instructions for installing and testing your certificate will be different depending on your server.

In the image below, you can see what is called the certificate chain. It connects your server certificate to your CA’s (in this case DigiCert’s) root certificate through an intermediate certificate.

https://www.mediafire.com/convkey/1f56/1fczxcf6pttdq3z7g.jpg

The most important part of an SSL Certificate is that it is digitally signed by a trusted CA like DigiCert. Anyone can create a certificate, but browsers only trust certificates that come from an organization on their list of trusted CAs. Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store. In order to be added to the Trusted Root CA store and thus become a Certificate Authority, a company must comply with and be audited against security and authentication standards established by the browsers.

An SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party has authenticated that organization’s identity. Since the browser trusts the CA, the browser now trusts that organization’s identity too. The browser lets the user know that the website is secure, and the user can feel safe browsing the site and even entering their confidential information.

How Does the SSL Certificate Create a Secure Connection?

When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an SSL connection using a process called an “SSL Handshake” (see diagram below). Note that the SSL Handshake is invisible to the user and happens instantaneously.

Essentially, three keys are used to set up the SSL connection: the public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa.

Because encrypting and decrypting with private and public key takes a lot of processing power, they are only used during the SSL Handshake to create a symmetric session key. After the secure connection is made, the session key is used to encrypt all transmitted data.

https://www.mediafire.com/convkey/3b8d/vjvoji4xip3otl27g.jpg

  1. Browser connects to a web server (website) secured with SSL (https). Browser requests that the server identify itself.
  2. Server sends a copy of its SSL Certificate, including the server’s public key.
  3. Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
  4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
  5. Server and Browser now encrypt all transmitted data with the session key.

Why Do I Need SSL?

One of the most important components of online business is creating a trusted environment where potential customers feel confident in making purchases. Browsers give visual cues, such as a lock icon or a green bar, to help visitors know when their connection is secured.

In the below image, you can see the green address bar that comes with extended validation (EV) SSL Certificates.

OK, now what is ssl offloading???

SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting traffic sent via SSL , the security protocol that is implemented in every Web browser. The processing is offloadedto a separate device designed specifically to performSSL acceleration orSSL termination.

Secure socket layer (SSL) certificates provide authentication between a server and a client computer in a Web application. Companies or businesses with a dedicated SSL certificate must host that certificate on a Web server. Heavy use of the certificate can put a strain on the machine and slow down the application.

Features

  • SSL offloading takes all the processing of SSL encryption and decryption off the main Web server and moves it to a separate device designed specifically for the task. This allows the performance of the main Web server to increase and it handles the SSL certificate efficiently.

Benefits

  • SSL offloading increases the effectiveness of the security offered by the certificates because the designated device can devote more processing time to warding off attacks. It increases the Website and application speed and prevents companies from needing to add more Web servers to keep up with the demands of a frequently used SSL certificate.

Types

  • SSL termination performs decryption on the designated device, then sends the unencrypted data to the main Web server. This data passes through extra security measures such as an intrusion detection system and a firewall to protect the transmission of unencrypted data. SSL bridging decrypts and checks the data for malicious code before it reaches the server. It then re-encrypts it and processes it again after the server redirects it to the designated device. The extra step slows down the process.

Secure Socket Layer (SSL):

You should have a valid netscaler license and enable ssl offload feature for below options to work.

ssl offload: communication from client to the netscaler is encrypted using https. netscaler to backend servers is not encrypted ie., it is on http. so, client to netscaler is https and netscaler to backend servers is http. This allows servers to perfom more as they don’t have to decrypt and encrypt the ssl connections.

End to end ssl means full https from client to netscaler and netscaler to backend servers.

On backend servers netscalers use ssl multiplexing to use existing sessions when contacting the backend servers. This avoids ssl handshake which happens every 2 mins by default for security purposes.

SSL bridging: Traffic is not decrypted when passing through netscaler from the clients to the backend servers. This causes performance issues as the backend servers should decrypt the encrypted traffic all the time.

Want to learn more on Citrix Automations and solutions???

Subscribe to get our latest content by email.

If you like our content, please support us by sponsoring on GitHub below: