SSL is a client-server protocol that creates a secure channel over the Internet. SSL is used to validate the identity of the destination server and (optionally) the client, and to encrypt information sent across the Internet between the client and server.

When a client, such as a browser, first sends an HTTPS request to a Web server, it starts a series of message exchanges, called the SSL handshake. During the SSL handshake, the server sends its digital certificate to the client to authenticate itself, and the client and server agree on the SSL protocol version and algorithms to use, and generate the symmetric keys they will use to encrypt their messages. See below for an illustration of the SSL handshake.

After the SSL handshake is successfully completed, the browser and Web server continue with the standard HTTP communications in a secure manner.

The following packet capture shows the SSL packets as they are exchanged between the browser, which is the client, and the Web server.

  1. The client sends its HTTPS request in the Client Hello. The entire HTTPS message is encrypted, including the headers and the request/response load. The actual hostname and domain name being accessed is not visible. How the Zscaler service determines the destination host name depends on whether it is operating in transparent mode or explicit mode.
  2. The server responds with its Hello message and its certificate. (A certificate is an electronic form that verifies the identity and public key of the subject of the certificate.) SSL uses the Public Key Infrastructure (PKI) to ensure the trustworthiness of the certificates.
  3. The client and server continue with the SSL negotiation.
  4. After the SSL tunnel is established, the application data is sent securely through the tunnel.

Public Key Infrastructure (PKI)

SSL uses Public Key Infrastructure (PKI) to ensure the trustworthiness of the certificates. PKI uses a trusted third-party, called a certificate authority (CA) to guarantee the identity of an entity. When a CA verifies an entity’s identity, it uses an algorithm, such as RSA, to generate a public and private key. It gives the private key to the requesting entity, and the public key is made available to the public. To authenticate itself to another party, the entity uses its private key to encrypt its certificate and the other party uses the corresponding public key to decrypt it.

A CA issues certificates in a tree structure, with the root certificate as the top-most certificate. The CA signs the root certificate, which is indubitably considered trustworthy in many software applications, such as web browsers. Web browsers have the root certificates of many CAs.

A root certificate can sign and designate a certificate as an intermediate CA certificate, which can sign and designate other certificates as intermediate certificates as well. A certificate chain refers to the list of certificates that complete the chain of trust, from the trusted root CA certificate to any intermediate certificates and the certificate of an entity. See below for an example of a certificate chain.

The certificate of mail.google.com was signed by Google Internet Authority G2.

The certificate of Google Internet Authority G2 was signed by GeoTrust Global CA.

The certificate of GeoTrust Global was signed by Equifax Secure Certificate Authority.

The certificate of GeoTrust Global CA and Equifax Secure Certificate Authority are in the certificate store of the browser.

To read more about how the Zscaler service can protect your organization from the potential misuse of SSL by attackers for malicious activity, see How does Zscaler protect SSL traffic?