SSL Certificates and Connections

SSL Certificates

A certificate is a digitally signed document that identifies a person, organization, or server and provides a copy of their public key for encryption. The digital signature may either be that of a third party Certificate Authority (CA) or the certificate may have been "self-signed" by its creator. The CA may be a well-known public organization that investigates and verifies the identity of an applicant before signing a certificate on their behalf or it could be software running on a server on your company's internal network. Data encrypted with the certificate's public key can only be decrypted using the private key held by the owner of the certificate.

In addition to the signature, a typical digital certificate also contains: the identity of the site, the identity of the person or organization that signed the certificate, the certificate's expiration date, the ID of the algorithm used to create the signature, the public key used for encryption, a cryptographic "thumbprint hash" to ensure that the contents of the certificate have not been modified, and a brief description of the intended purpose of the certificate.

SSL Server Certificate vs. Client Certificate

Every type of SSL connection supported by Robo-FTP derives its encryption from a trusted server host certificate while only the most secure connections also require client certificates. The primary purpose of client certificates is to authenticate the user and is used in lieu of a password on some servers. Robo-FTP provides a tool that allows you to generate your own client-side certificate. With Robo-FTP, you can specify a different client certificate for each managed site or define one default client certificate to use whenever a client certificate is required.

Trusting a Certificate

Robo-FTP will not establish a SSL connection unless it trusts the server's certificate. Robo-FTP automatically trusts a certificate signed by a previously trusted Certificate Authority. The operating system maintains a list of trusted CAs and Robo-FTP provides a method allowing you to explicitly trust a certificate not on the list.

SSL Connections

Robo-FTP uses the Secure Sockets Layer (SSL) protocol for FTPS and HTTPS connections. SSL was developed by Netscape to add privacy, integrity and authentication to the standard HTTP protocol but it ultimately became the normal method for securing almost all internet traffic. The process of establishing an SSL connection is sometimes referred to as "negotiation" or a "handshake."

Establishing Unilateral Connections

In a unilateral SSL connection, only the server computer provides a certificate. To establish a unilateral connection, Robo-FTP requests a secure connection from a remote site. If the remote server is capable, it responds agreeing to the secure connection and providing an SSL certificate. If Robo-FTP trusts the server's certificate it creates a temporary random encryption key, encrypts it using the server's public key, and sends it back to the server. Because the temporary key was encrypted using the server's public key it can only be decrypted with the server's private key. At this point the temporary key is a secret known only to Robo-FTP and the server. The temporary key is used to encrypt all subsequent communication between Robo-FTP and the server for the duration of the SSL session and is discarded when the session ends.

Establishing Bilateral Connections

In some enterprise situations where security is a special concern, the remote server may require Robo-FTP to provide a client certificate to prove your identity before agreeing to the SSL connection. This is known as a bilateral connection or "mutual authentication."

Note: Although the term "SSL" is still widely used for secure connections, an upgraded version know as Transport Layer Security (TLS) is actually in use on many SSL servers and supported by Robo-FTP. Robo-FTP utilizes the OpenSSL library to provide the authentication and encryption found in the SSL protocol. More about OpenSSL may be found online at www.openssl.org.