What is an SSL Certificate?

A secure sockets layer (SSL) certificate is a digitally signed credential, which is issued by a credentialing agency for a specific organization’s website. SSL certificates are used in Internet technology to ensure the safety of transmissions between a web browser and a server. A browser and server exchange information that indicates that the web server is valid, and the server establishes a secure connection. Users can check their browser’s appearance to determine whether they are on a secure connection.

Any organization that would like to secure its web transmissions will contact a credentialing agency, called a certificate authority, to buy an SSL certificate. The certificate authority, which should be a trusted organization itself, will verify the identity and validity of the requesting organization before issuing a certificate. After a certificate is granted, it is installed on the organization’s web server, and the private and public keys used in encrypting are created.

If a user browses to a website, the browser requests the identity of the web server. The server returns a copy of its SSL certificate. After the certificate is returned, the browser then determines whether the certificate should be trusted. If the browser is uncertain, it might display a message to the user. The user can then examine the certificate and decide whether to continue.

When the browser trusts the SSL certificate, the browser responds to the server without requiring any action from the user. The server will acknowledge the browser’s response, and it starts a secure session. Transmissions shared from here are encrypted, so they are unreadable to a hacker.

The use of SSL certificates is important in fostering user confidence in websites. Certificates are often used on ecommerce sites, where users might be sending credit card information. Use is also essential for financial services websites, such as online banking and payment fulfillment sites. Other sites that might request personal information such as addresses, birth dates or health information will also typically use SSL certificates.

Users might wish to verify that they are on secure websites before sending private information. To verify, the user can examine the browser’s address bar. The address will usually begin with “https” instead of “http.” In this case, “https” refers to the term “hypertext transfer protocolsecure.” Different browsers might also use other methods of indicating to a user that he or she is visiting a site using an SSL certificate, such as a displaying a lock or information about the secure connection in the address bar or status bar.


(http) is a system for transmitting and receiving information across the Internet. Http serves as a request and response procedure that all agents on the Internet follow so that information can be rapidly, easily, and accurately disseminated between servers, which hold information, and clients, who are trying to access it. Http is commonly used to access html pages, but other resources can be utilized as well through http. In many cases, clients may be exchanging confidential information with a server, which needs to be secured in order to prevent unauthorized access. For this reason, https, or secure http, was developed by Netscape  to allow authorization and secured transactions.

In many ways, https is identical to http, because it follows the same basic protocols. The http or https client, such as a Web browser, establishes a connection to a server on a standard port. When a server receives a request, it returns a status and a message, which may contain the requested information or indicate an error if part of the process malfunctioned. Both systems use the same Uniform Resource Identifier (URI) scheme, so that resources can be universally identified. Use of https in a URI scheme rather than http indicates that an encrypted connection is desired.

There are some primary differences between http and https, however, beginning with the default port, which is 80 for http and 443 for https. Https works by transmitting normal http interactions through an encrypted system, so that in theory, the information cannot be accessed by any party other than the client and end server. There are two common types of encryption layers: Transport Layer Security (TLS) and Secure Sockets Layer (SSL), both of which encode the data records being exchanged.

When using an https connection, the server responds to the initial connection by offering a list of encryption methods it supports. In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities. After this is done, both parties exchange the encrypted information after ensuring that both are using the same key, and the connection is closed. In order to host https connections, a server must have a public key certificate, which embeds key information with a verification of the key owner’s identity. Most certificates are verified by a third party so that clients are assured that the key is secure.

Https is used in many situations, such as log-in pages for banking, forms, corporate log ons, and other applications in which data needs to be secure. However, if not implemented properly,https is not infallible, and therefore it is extremely important for end users to be wary about accepting questionable certificates and cautious with their personal information while using the Internet.


Security in web applications

Some common terms in web application security testing:

Password Cracking:  In order to log in to the private areas of the application, one can either guess a username/ password or use some password cracker tool for the same. Lists of common usernames and passwords are available along with open source password crackers.  Enforce a complex password (e.g. with alphabets, number and special characters, with at least a required number of characters)

URL manipulation:  Check all ranges of input variables. Dont accept values which are not needed by the application. Avoid forming dynamic variables.

SQL Injection: This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.  Escape the quotes. Use mysql_escape_string or equivalent.

Cross Site Scripting:  When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS. All HTML tags should be scrubbed from the variables. Dont use eval directly on any user input.

Spoofing: The creation of hoax look-alike websites or emails is called spoofing.  Use identity images like the ones Yahoo! and bank websites are using so that user is confident he is logging on to the correct system.

Crumbs: To ensure user has come from a  previous page in the flow and not directly.

PHP Array questions

1) How can I create an array of numbers easily?
If you want to create an array of consecutive numbers in PHP, then you can do it the long hand way…

$myarray = array(1,2,3,4,5,6,7);

Or you can do it the easy way, using the range function, which you simply pass the first and last value in the consecutive range. So this is equivalent to the above code:

$myarray = range(1,7);

… and when you want an array containing the numbers 1 to a 1,000 – then you’ll be glad you learned about this function!

2) How do you remove duplicate values from an array?
Duplicate values are easily removed using the array_unique function:

$values = array("banana","apple","pear","banana");
$values = array_unique($values);


[0] => banana
[1] => apple
[2] => pear

Initiating the tech blog

This blog will contain the tech things of interest to me and Dimple.

The software industry is growing rapidly conceptwise, and its becoming an information overload. This is an attempt to organize some of that information for our own personal sake.

Some of the things noted here may seem downright simple and silly.  But with the amount of things that change everyday, remembering even the simple things becomes a hard task.