Okay let’s visualise this conversation – which is a common scenario in most of the teams.
QA1 : Hey bud, my Selenium test cases are failing due to a weird issue. Wonder what that is?
QA2. : Oh that might be due to the certificate issues that we also encountered. I know how to fix them.
QA1 : How. Tell me.
QA2. : [Proceeds to search internet for a host of articles showing how to ignore certificate error in Selenium and gives a link] Here you go , this piece of code will ignore these errors.
QA1 : Thanks so much.
I’m sure a lot of you would’ve faced or seen this situation. You can be either QA1 or QA2. However, there is something which is amiss here. Do you know what?
The thing is it’s very easy to ignore a problem – in this case, the test failure from an untrusted or an expired or a self-signed certificate – you go ahead and tell your scripts to ignore this error – without knowing what that issue is and why it came at the first place. This might look a minor issue at first – it is not and that’s why we need to understand the consequences of the action of ignoring these SSL errors.
But, hey, first of all, what the heck is SSL certificate or SSL and why do I need to know about it.
Glad you asked.
SSL
Before I get started, its imperative to know that SSL and SSL certificate are two different things – although they are co-related, but they are not the same thing.
Now let’s start with the former – SSL , or Secured Socket Layer is a “protocol” – protocol being the keyword here. SSL is an encryption based security protocol , designed to safeguard the internet communication – or if you can say in plain language – SSL was designed to keep the internet communication safe from any lunatic. SSL was originally developed in a company called Netscope, where it was primarily designed for ensuring privacy, authentication, and data integrity in Internet communications.
A simple giveaway to determine if a website or a web-app is using SSL is that they’d be using https instead of http for communication.
So basically speaking, SSL ensures that whatever information you’re sending over internet – plain data, image, video , audio – everything is encrypted and that information can not be intercepted in between by some foreign player – most probably a malicious actor ( hacker in simple terms).
Ah! But how does it work?
How Does SSL Work
So the primary use case or the function of SSL is to encrypt information so that it cannot be accessed by any malicious third party So how does it works for that?
There are primarily three steps in this
- The first step is to encrypt the data. SSL encrypts the data that is transferred over the network – and there are many algorithms for that. If someone who doesn’t know how to de-crypt the data, tries to take a sneak-peak into that encrypted data, then most probably they will only see a garbled mix of characters that makes no sense at naked eye.
- Now SSL also makes the two parties – the one which sends data, and the one that receives it, get to know it other via a mechanism know as the
handshake. This allows both the concerned parties to know each other so that there is no confusion as to who is what. - Also SSL ensures that the data has a unique signature to it . This is done to protect the data integrity of the information that is being transferred over the network. This digital signature is key to identifying that the data is not tampered or modified before reaching its original destination.
But Why SSL or Encryption
Valid point. You see, when the internet was in nascent stages, or also even to this date, you can choose to send your data as plain text over the internet. What it does is that anyone on the network ( or internet) can see what that data is. So in the earlier stages, when these standards were not applicable to most of the network data, almost all data used to be sent via plain text.
So, that would mean that, if today’s e-commerce would have existed back then, and no SSL standards would have been implemented, then anyone on the network could see the sensitive information like your bank account number, your personal identification number, you credit card number etc. See how scary it look even when reading.
So as the internet grew, the amount of bad actors – people who want to take take advantage of such situations and indulge in bad activities grew over a period of time. Cases of identity theft, financial thefts et.al , made it imperative to have sensitive data protected even when transmitted over a network – and this is where and why SSL came into picture.
SSL was created so that this concern about user data and privacy can be addressed. When sensitive data, that has to be transmitted over a network is encrypted, there is a good chance that the third party , who might want to intercept the data in between and play foul, would simply do not understand what data they’re actually getting. This is actually not that simple in technical terms and also there are instances where the data can be de-crypted by a third party. But in most cases, SSL ensures that the data privacy is maintained.
I’ve also heard of TLS
Now you might have learnt, heard or read about TLS. So what is that ? So actually when you say SSL now a days, there is a good chance that you’re actually really talking about TLS. SSL is actually the predecessor of what is now TLS or Transport Layer Security. Starting 1999, the Internet Engineering Task Force (IETF), which is kind of apex body for these things, worked on updating the SSL guidelines and standards and proposed sweeping changes in SSL.
Since IETF did not involve Netscope ( where SSL was initially created), they instead named the changes as TLS. So the first version of TLS and the last version of SSL – which is version 3.0 do not have much differences. TLS 1.0 is kind of SSL 4.0 to be very honest.
So, in real life, in most of the times, when you see people talking or mentioning about SSL or TLS, then they are kind of talking about the same things – there are definitely differences in both of them, but fundamentally they serve the same purpose.
So SSL is not updated anymore
Yeah. The last update that SSL had was I think so in 1996 – after that there seems to be no updates in SSL, so you can think of SSL as deprecated.
There are several known vulnerabilities in the SSL protocol, and security experts recommend discontinuing its use. In fact, most modern web browsers no longer support SSL at all.
But we where talking about SSL Certificate.
Yeah yeah. We’ll continue on that front. An SSL certificate is basically a digital certificate that authenticates a websites identity and enables an encrypted connection. An SSL certificate is what allows a website to use https , instead of http, which is considered to be less secure.
In this blog, I’ll keep this much to avoid over-information. In the next blog, I’ll focus more on the SSL certificate side and why do we need it.
TESTEROPS 