SSL Glossary
Basic SSL Terms & SSL Dictionary
An SSL Glossary is a comprehensive collection of terms and definitions related to Secure Sockets Layer (SSL) technology and its successor, Transport Layer Security (TLS). This glossary serves as a valuable resource for IT professionals, developers, and anyone involved in web security. It covers a wide range of topics, including cryptographic protocols, digital certificates, encryption algorithms, and authentication methods.
The SSL Terms explains key concepts such as public key infrastructure (PKI), certificate authorities (CAs), and the handshake process that establishes secure connections between clients and servers. It also includes information on various SSL/TLS versions, cipher suites, and common vulnerabilities.
By providing clear and concise explanations of these technical terms, an SSL Glossary helps users better understand the complexities of secure communication over the Internet and aids in implementing robust security measures for websites and applications.
ALL
A
B
C
D
E
F
H
I
K
L
M
N
O
P
R
S
T
V
W
Asymmetric Encryption
Encryption model that uses public and private key pairs for secure communication. Provides authentication and confidentiality.
Authenticated Encryption
Advanced mode of encryption that includes authentication of associated data along with confidentiality of the plaintext. Recommended to prevent tampering.
Authentication
Authentication is the process of positively confirming the identity of an entity, such as a server or client. SSL/TLS certificates provide it.
Authenticity
Guarantee that communicating entities are who they claim to be. SSL/TLS provides them through certificates and digital signatures.
Baseline Requirements
Collection of mandated practices for SSL certificate issuance and management published by the CA/Browser Forum.
BEAST Attack
Vulnerability exploiting weaknesses in older block cipher modes like CBC to decrypt portions of traffic. It is mostly mitigated now.
BGP Hijacking
Exploiting vulnerabilities in internet routing infrastructure to impersonate trusted network endpoints. It can undermine certificate validity.
Brute Force Attack
Method of defeating encryption keys by trying every possible combination in an exhaustive trial-and-error manner. Effective against weaker keys.
CA Compromise
A security incident involving the Compromise of a certificate authority’s private key that can enable the issuing of fraudulent certificates.
CA/Browser Forum
Industry group of CAs and browser vendors that determine SSL standards and requirements. Publishes certificate guidelines.
CAA Record
DNS record that specifies which CAs can issue certificates for a domain. Improves certificate issuance security.
Certificate Authority
Trusted third party that issues digital certificates to verify identity and enable encryption. Examples include Symantec, Comodo, and DigiCert.
Certificate Authority Authorization
Process used by CAs to verify an applicant has authority over a domain before issuing a certificate.
Certificate Expiration
The expiration date set in a certificate by the issuing CA. SSL certificates must be renewed before expiring.
Certificate Not After Field
The expiration date and time after which the certificate is no longer trusted for authentication.
Certificate Not Before Field
The date and time before which the certificate is not valid. Ensures validity period enforcement.
Certificate Pinning
The technique for allowing only specified certificate keys is considered trusted. Prevents man-in-the-middle attacks.
Certificate Policy
Guidelines governing certificate issuance and management activities of a CA and applicable to issued certificates.
Certificate Revocation
Formal process of issuing CA and revoking a certificate before expiration due to key Compromise, loss of domain, etc.
Certificate Signing Request
This file was generated to request an SSL cert from a CA. It contains the public key and domain information.
Certificate Transparency (CT)
Certificate Transparency (CT) is an IETF standard for public auditable logs of issued certificates that identify anomalies and prevent issuance abuse. It is gaining adoption.
Certificate Validation
The Process of checking the SSL server certificate against trusted CAs for authenticity. It was done during the handshake.
Certification Practice Statement (CPS)
Detailed policies and practices of a CA in issuing, managing, and revoking certificates documented for transparency.
Chain of Trust
Sequence of intermediate and root CA certificates that link the leaf certificate to a trusted root. Establishes validity.
Chosen-plaintext Attack
This type of cryptanalysis exploits the capability to choose arbitrary plaintexts to be encrypted in order to deduce keys. It is applicable to weakened algorithms.
Cipher Suite
Set of cryptographic algorithms that manage authentication, encryption, and message integrity in an SSL/TLS connection.
Client Authentication
Use of client-side certificates to mutually authenticate users to a server in addition to the server cert verifying the server identity.
Client Certificate
Certificate installed on a client/browser enabling two-way SSL authentication and identity verification. Less commonly used.
Code Signing Certificate
A specialized certificate is used to sign software, apps, scripts, and other executable code to validate authenticity and integrity.
CRL (Certificate Revocation List)
File containing serial numbers of revoked certificates no longer trusted. They are checked during validation.
CRL Sets
Blocklist of revoked certificates maintained by browsers like Chrome for real-time local revocation checking to augment CRLs.
Cross-certification
Practice of CAs signing certificates issued by other CAs to establish trust relationships explicitly. Aids in constructing chains of trust.
Cryptographic Module Validation
Formal testing and certification of cryptographic implementations against government standards to ensure proper security controls. It helps establish trustworthiness.
Cryptography
Field of techniques for securing communication and information through encryption. Essential for SSL/TLS security.
CSR Generator
Tool for creating certificate signing requests required to obtain SSL certificates.
DANE
Protocol to enable SSL certificate authentication using DNSSEC secured channel rather than CAs. Provides enhanced security for TLS.
Digital Certificate
Electronic file used to verify identity and enable SSL/TLS encryption. Contains issuer info, validity dates, public key, and signature.
Digital Signature
A cryptographic scheme that allows authentication of the signer and integrity of the signed data using public key cryptography. It is used in SSL/TLS.
DNS CAA Records
DNS records allow domain owners to specify authorized CAs for issuing certificates. Improves issuance security.
DNSSEC
Security extension for DNS providing authentication of DNS lookups through cryptographic signing of records. Basis for DANE SSL authentication.
Domain Takeover Vulnerability
Security issue enabling an attacker to control a domain improperly abandoned by its owner and maliciously obtain certificates.
Domain Validated Certificate
This is a basic validation SSL cert that only requires demonstrating control over the domain name. It is quick and inexpensive.
Downgrade Attack
Man-in-the-middle attack tricking servers and clients into using older insecure protocols like SSLv3 or TLS 1.0.
DSA Algorithm
Digital signature algorithm used in some SSL/TLS certificate signatures for authenticity verification.
DSA Signature Algorithm
Digital signature technique used in some legacy SSL certificate signatures. Less common than RSA.
Dual Keys
Dual Keys refers to configuring separate keys for encryption and signing functions on a certificate for optimal security. It is a recommended best practice.
ECC Encryption
Elliptic curve cryptography offers security equivalent to RSA with smaller key sizes. It is used in some modern SSL implementations.
ECDSA Signature Algorithm
Elliptic curve-based version of DSA used for digital signatures on modern SSL certificates.
Elliptic Curve Cryptography (ECC)
Advanced public key technique based on elliptic curve math. Enables equivalent security with smaller keys. They are gaining adoption in SSL/TLS.
Encryption
Process of encoding data to prevent unauthorized access or use. SSL/TLS uses encryption to secure web traffic.
Encryption Strength
Relative assessment of cryptographic resistance to brute force attacks based on algorithm and key length. For SSL/TLS, 128-bit is the minimum, and 256-bit is the best.
End-Entity Certificate
Refers to actual server certificates presented during the TLS handshake as opposed to root and intermediate CA certificates.
Extended Validation
Most stringent SSL validation process for high assurance certificates. Requires extensive identity checks.
Extended Validation Certificate
Highest assurance SSL cert with thorough identity confirmation reflected in special browser UI treatment. Most expensive.
Forward Secrecy
The SSL/TLS feature uses ephemeral key exchange to provide enhanced security, limiting exposure of long-term server private keys. This is a highly recommended best practice.
Forward Secrecy Cipher Suites
Specific TLS cipher suites using Diffie-Hellman ephemeral key exchange to enable perfect forward secrecy. It is recommended for enhanced SSL security.
Forward Secrecy Support
Indicates support for generating unique session keys for each connection to enhance security and limit key Compromise—highly recommended SSL feature.
Heartbleed
Severe OpenSSL vulnerability allowing extraction of memory contents, including private keys. Mass patches deployed after disclosure in 2014.
High Assurance Certificates
Term for SSL certificates with stringent identity verification requirements like EV Certs. Indicates high trust for sensitive purposes.
HSTS (HTTP Strict Transport Security)
HSTS (HTTP Strict Transport Security) Forces web connections over TLS only and prevents SSL stripping attacks, enhancing security.
HTTP Public Key Pinning (HPKP)
Security standard for allowing only certain certificate public keys as trusted for a hostname.
Integrity
Assurance that data has not been altered in transit. SSL/TLS uses message authentication codes to verify integrity.
Intermediate Certificates
Certificates issued and signed by a root CA that are used to issue end-entity SSL certificates to organizations.
Issuing CA
The CA that constructs, validates, and directly signs a certificate upon issuance. Distinct from root CAs.
Key Ceremony
Formal cryptographic key generation event conducted by CAs establishing roots of trust. Typically involves trusted auditors.
Key Compromise
Key Compromise is a serious security incident involving the disclosure or unauthorized use of a private cryptographic key, requiring certificate revocation and replacement.
Key Exchange
Process of sharing cryptographic keys to enable encryption between parties. It was done at the start of the SSL/TLS handshake.
Key Generation Ceremony
Formal process governing cryptographic key pair generation under tightly controlled conditions to ensure the security and legitimacy of root keys.
Key Pinning
Technique for allowing only acceptance of specified trusted certificate keys for a host. Provides defense against impersonation.
Key Usage Extensions
Certificate extension defining cryptographic operations for which the key may be used. Restricts functions to intended purposes only.
Keyless SSL
Technique offloading private key management to specialized external hardware modules to enhance security and simplify maintenance.
Leaf Certificate
The server certificate presented by a website during the SSL handshake. It is issued and signed by intermediate CAs.
Man-in-the-Middle Attack
An attack that intercepts and decrypts traffic between two parties, allowing spying or content modification. SSL/TLS prevents this.
Multi-Domain Certificates
SSL certificates can support multiple domains on one certificate, which saves costs compared to individual certificates.
Null Ciphers
Ciphers offer no encryption that can be exploited to intercept plaintext communications. They should never be enabled in production.
OCSP Must-Staple
Improved OCSP implementation requires certificates to carry status confirmation, preventing reliance on potentially stale responses and enhancing security.
OCSP Stapling
Optimization allowing web servers to cache OCSP certificate status checks to offload to the client. Improves performance.
Online Certificate Status Protocol (OCSP)
Method for checking the real-time revocation status of SSL certificates instead of relying on periodic Certificate Revocation Lists (CRLs).
Organization Validated Certificate
Mid-level SSL cert that involves basic business identity verification steps beyond just domain control.
Organization Validation
Intermediate form of SSL validation that verifies identity and legal business registration.
Perfect Forward Secrecy
Perfect Forward Secrecy is a feature that generates new session keys for each connection to limit key Compromise. It is highly recommended for SSL security.
Pinning
Technique for allowing only specific trusted certificate keys in an app. Prevents man-in-the-middle attacks.
POODLE Attack
This attack exploits the legacy SSLv3 protocol to force the use of a broken old cipher like CBC to enable decryption. It is mitigated by TLS only.
Private Key
The Secret key used to decrypt messages encrypted with the corresponding public key. It must be kept secure by the owner.
Public Key Cryptography
Encryption method that uses mathematically related public and private keys for encryption and decryption. They are widely used in SSL/TLS.
Public Key Infrastructure (PKI)
Framework enables trusted digital identity verification, authentication, and encryption through public key cryptography and certificate authorities. Underlies SSL/TLS.
Public Key Pinning Extension
Experimental HTTP header response used to pin only certain certificate keys for a host. Being replaced by HTTP Public Key Pinning standard.
Public Key
A publicly shared key used to encrypt messages that can only be decrypted with the private key. It is used in public key cryptography.
Re-keying Certificate
Renew an SSL certificate and generate new public and private keys. Recommended periodically for improved security.
Renegotiation Attack
SSL vulnerability allowing insertion of plaintext into encrypted sessions. They are largely mitigated in modern implementations.
Renewal Certificates
A new certificate issued by a CA to replace an expiring certificate to maintain valid HTTPS status. It is typically renewed annually.
Rogue CA Certificate
Fraudulently issued a certificate from a trusted CA going against validation policies. It can enable man-in-the-middle attacks.
Root Certificate
Self-signed certificate representing a Certificate Authority at the top of the trust chain.
Root Store
The set of trusted root certificates built into web browsers and operating systems to authenticate SSL certificates.
RSA
Public key algorithm based on the mathematical relationship of large prime numbers and commonly used in SSL/TLS key exchange.
RSA Algorithm
Public key algorithm widely used for SSL/TLS encryption key exchange, digital signatures, and certificate signing by CAs due to its security.
RSA Encryption
A public key encryption algorithm based on large prime numbers is used for SSL/TLS key exchange and certificate signatures.
RSA Key Sizes
Typical RSA key length options seen in SSL certificates, including common 2048-bit and increasingly 3072-bit for stronger security.
SAN Certificate
Single SSL cert that can secure multiple different domain names. Cost-effective for various domains.
Self-signed Certificate
Self-signed Certificate: A Certificate signed by its creator rather than a trusted CA. It needs to be more trusted for authentication.
SHA-1 Hash Algorithm
160-bit cryptographic hash function used for digital signatures on legacy SSL certificates and now deprecated due to collisions.
SHA-1 Sunset
Industry effort to deprecate the SHA-1 hash algorithm in SSL/TLS due to emerging weaknesses and replace it with newer SHA-2 algorithms.
SHA-256 Hash Algorithm
the 256-bit hash algorithm used for certificate signature by CAs for SSL/TLS certificates. Offers strong security.
SSL (Secure Sockets Layer)
Cryptographic protocol that provides authentication and encryption over the internet. Uses certificates to establish identity and secure connections.
SSL Labs
Online service by Qualys for testing SSL configuration, protocols, ciphers, and vulnerabilities. Provides detailed reports and ratings.
SSL Stripping
Man-in-the-middle attack that removes SSL encryption from connections by exploiting weak configurations.
Stapled OCSP
Optimization where web servers obtain and cache OCSP responses about their cert to offload the client. Improves performance.
Static Trust
Term for the inherent anchor of trust provided by hardcoded trusted root certificates in browsers and operating systems.
Strict Transport Security (HSTS)
Security enhancement requiring web connections only over HTTPS to mitigate eavesdropping and SSL stripping attacks.
Symmetric Encryption
An encryption method that uses a single shared key to encrypt and decrypt data. It is faster than asymmetric but less secure.
TLS (Transport Layer Security)
Successor to SSL that provides encryption and authentication between applications and servers. They are widely used to secure web traffic and transactions.
TLS False Start
Extension allowing encryption on the opening handshake, saving round trips. They are supported on modern browsers and servers.
Triple DES (3DES)
Legacy symmetric key algorithm providing 112-168 bits of security. It is still found in some older SSL cipher suites.
Trust Anchor
Term for trusted Root CAs that browsers and devices use to verify certificates.
Trust Store
Repository of trusted root and intermediate certificates used to authenticate SSL/TLS connections.
Trusted Platform Module (TPM)
Dedicated hardware chip for securely storing cryptographic keys and providing crypto operations like encryption/decryption and digital signatures.
Validation
Technical assessment by a certificate authority to confirm the identity of the certificate applicant and their authority over the domain.
Wildcard Certificate
Single SSL cert that secures the main domain and unlimited subdomains. E.g., *.example.com.