Behind the Padlock: How Secure Web Connections Work

If you've ever shopped online, and chances are you have, you've probably noticed, or been told to look for, certain indicators that you have a secure Web connection.

For many years, the primary indicator was a padlock at the bottom of your browser screen. Now, the padlock is likely to be found in the address bar up top. Sometimes the address bar itself will turn a different color (usually green) when you enter a secure website.

The "http" prefix on the website, if it's visible, will change to "https." The "s" stands for "secure."

Learning to read these browser indicators is an important way to avoid becoming a victim of cybercriminals.

But how do these secure connections work? What's behind that reassuring green padlock?

MORE: 5 Free PC Security Programs Worth Downloading

License to shill

In order for these security symbols to appear on their sites, online merchants need a unique digital certificate that guarantees the identity of the website the consumer intends to visit.

In some circumstances, that certificate will provide additional information, which the consumer can use to authenticate the website operator's identity.

Flavio Martins, vice president of customer support at DigiCert, a certificate authority (CA) based in Lehi, Utah, explained that such information might include the operating organization's name, street address, city, state, ZIP code, business registration number and other information.

"The certificate provides visual cues that the data being shared by the consumer with the site is encrypted and protected from unauthorized parties," Martins said.

A merchant can't simply apply to receive a digital certificate from a Certificate Authority (CA), and then answer a couple of questions, in order to get that padlock on their site.

Instead, the process itself requires good security practices at every level.

One key locks, the other key opens

It begins with the merchant creating a public key and a private key, the essential parts of an asymmetrical encryption scheme — asymmetrical because the two parties sharing the secret information have different ways of unlocking it.

"The public and private keys are generated together from large prime numbers, hundreds of digits long, so that when multiplied, they produce a code that only the certificate owner and the computer know," Martins said.

"When a consumer visits a secure page of a merchant's website, the [site's] public key is used by the consumer's Web browser to identify the merchant as the owner of the site," Martins said.

He added that the public key is used to by the consumer's browser to encrypt the data the consumer sends the website, data that could include names, addresses or credit-card numbers.

"The private key is held only by the site owner (merchant) and is used to decrypt the information provided by the consumer in the secure session," Martins said in an emailed message. "These key pairs (public and private key) are mathematically linked — both are needed to securely exchange information, and one does not work without the other."

MORE: SSL vs. TLS: The Future of Data Encryption

Longer is stronger

An easy analogy to explain public-key encryption is a locked mailbox.

The slot of a mailbox, into which anyone can drop a piece of mail, is equivalent to the public key.

But only the mailbox owner has the key to go into the mailbox and retrieve that mail, just as only the holder of the digital private key can open and read encrypted data sent via the secured Internet session.

Today, the minimum key length that experts recommend is 2,048 bits, or binary digits. (Recent leaks of National Security Agency documents hint that shorter bit lengths might not be enough.)

"The strength in the code's security lies in the fact that it is easy for a computer to randomly generate the key pair by multiplying the two prime numbers," Martins said.

"However, it is not deemed computationally feasible to reverse the process to factor the key pair and determine the original prime numbers that would unlock the code," he added.

In other words, it could take even the fastest computers hundreds, even thousands, of years to decrypt information secured with 2,048-bit encryption.

Never break the chain

Paired public and private keys are just the first step in Web security. Your browser won't trust the public key of a website unless it is presented as part of a digital certificate — called the "end-entity" certificate — and digitally "chained" to a "root" certificate embedded in the browser's list of trusted certificates.

"Because a certificate can be used to spoof identities, and misissuance can result in theft of data, the browsers rely on these root certificates to determine whether a server operator is entitled to use a certificate to communicate with end users or consumer," Martins said. "Chaining to a root certificate means that the end-entity certificate is signed by a certificate that is signed by the root certificate."

That's where the Certificate Authority comes in. CAs issue the root certificates. Any merchant who orders a certificate will first generate a key pair and send the public key to the CA. The CA then verifies the identity of the requester in accordance with industry standards.

After the CA verifies the applicant's identity, the CA digitally signs the end-entity certificate to assert that the identity in the certificate is authorized to use the submitted public key, Martins said.

As for the customer's private key, it remains solely in the customer's possession throughout the process, even though it's associated with the certificate.

"Using this chain of trust, each time a consumer visits a page with 'HTTPS,' the client will check to see if the web[site] operator has a valid certificate that is active and has not been revoked for improper activity," Martins said.

"If this checks out, then the computer generates two large numbers to create a secure session key and the padlock icon is shown as a visual cue of trust for the consumer," he added.

So when you see the padlock on your address bar, you can be certain that your merchant has done a lot of background work to make sure your identity and your financial information remain safe.

If you'd like to research for yourself just how secure a given website is, Martins recommends clicking on the padlock icon itself. That will bring up a "Connection" tab, which you can follow to learn more about the site's certificate.

Follow us @tomsguide, on Facebook and on Google+.

Sue Marquette Poremba is a security and technology writer based in Central Pennsylvania.