SSH and SSL: What’s the Difference for Security Sake?
When it comes to security online, you want to feel good about sending information across the web. SSH and SSL are here to help keep your information secure. So, what’s the difference between the two?
It might be easy to confuse them. They both consist of three letters, they both start with two ‘Ss’, and they help keep vital information secure (and more).
But, yes, they are different and your confusion will soon end.WPMU DEV UPDATE — OCTOBER 2020
In this article, I’ll be going over all things SSH and SSL.
The areas we’ll cover are:
- What is SSH?
- What is SSL?
- How TLS Plays a Part
- Similarities and differences between them
- The importance of each one
- Why we use it
- The authentication process
- All about encryption
- Setting up SSH and SSL in The Hub
To get started, it’s important to know what SSH and SSL are. So…
SSH (secure shell) is a way to communicate with a remote computer securely. It’s used for executing commands remotely.
So, for example, if you’re on vacation in the Bahamas, you can access your work website remotely, perform commands, and edit (although, why would you do this on such a great vacation?).
It does this by interacting with another system’s operating shell and functions by using public-key cryptography for connection and authentication.
This makes gaining access to a WordPress site possible in a secure way to ensure nobody has access to your connection while you’re on it.
What’s the Importance of It?
It’s important because it secures all of the unsecured networks in the client and server connection.
The client uses the remote host information to initiate a connection, and, when the credentials are verified, it establishes the encrypted connection.
On the server-side, there’s an SSH daemon that’s regularly listening to a specific TCP/IP port for a potential client connection request.
When a client initiates a connection, the SSH daemon will get back to it and reply with the software and the protocol versions it supports.
The two exchange their identification data and (if the credentials pan out) create a new session for the appropriate environment.
Why Do We Use It?
People use SSH to securely communicate with another computer. By using it, the exchange of data is encrypted through the internet pathways.
This ensures that anyone who might see the data, who isn’t supposed to, would not be able to see what was in the data.
With SSH, you can then access sites and use commands to perform various functions (e.g. add a new file from the Bahamas).
The Key(s) to the Authentication Process
The authentication is pretty straightforward and simple.
It starts with creating a key pair, which the user typically does with ssh-keygen. Private keys stick with the user, while the public key goes to the server.
A server stores the public key and marks it as authorized. From this point, a server will now allow access to anyone who can show proof that they have the corresponding private key.
The private key is typically kept private by a user developing a passphrase for it.
Then, when a private key is needed, the user has to supply the passphrase so that the private key can be decrypted.
Setting up SSH in the Hub
If you’re new to WPMU DEV or do not have an account with us, The Hub is where you can manage, update, monitor, scan, and manage WordPress sites, all in one place.
It’s where you can allow SSH authentication, too.
In this example, I’m going to show you how to get SSH quickly set up in our Hub 2.0.
Then, I’ll provide a link to an article of ours that has a ton of very useful and detailed information that shows how to login to a cloud server, generate a public and private key pair, commands, and everything you need to know for SSH.
Note: If you are not hosting with us, your hosting service should have an admin section where you can upload the public key.
Every hosting service is a bit different, so you may need to reach out to them for assistance.
Ok, back to The Hub…
When you’re logged into the Hub, select your website and then click on the Hosting tab.
Once you click the Hosting tab, more options will appear.
From this point, click on the SFTP/SSH tab.
This takes you to a screen where you can view your SFTP/SSH Accounts and Users.
For this post, we’re interested in SSH. For a detailed tutorial on using SFTP, see this post on using SFTP to transfer your files securely.
Setting up a new user with an SSH account is quick and easy to do.
First, click on Add User.
This will give you two options: SFTP User or SSH User.
Clicking on SSH User will take you to an area where you fill out specific information for a new user.
Create a Username and Password (or use the funky password we’ll automatically generate for you).
Next up is Path Restriction. If you like, you can limit the user’s access to your entire wp-content directory, or just to your Plugins, Themes, and Uploads folder.
If you want no restrictions, just keep it on the default of None.
You can also choose the Environment (i.e. Production or Staging).
When you have all of the necessary information inputted, click the blue Add button.
The new user will now appear in the dashboard. He or she will use the information to log into SSH to work on your site with commands and more.
You can edit the user, password, restrictions, and environment for any user at any time.
There’s a ton you can do with SSH and it’s easy to get started. For more detailed information, please check out our article all about SSH.
And now that you know about SSH…
You may not be aware of this, but you’re probably already familiar with it and what it’s evolved to.
For example, have you ever logged into your checking account or another website (e.g. one about Bahama vacations) and noticed it starts with “https://” instead of just “http”? There’s an “s”. Hmm…
Or, for an even quicker example, check out the lock to this post here on WPMU DEV from my browser.
You’ll notice in the address bar, we have a lock before our URL. I told you that you were already familiar with it ;)
SSL (secure socket layer) was the standard security technology for establishing an encrypted link between a server and a browser until 2011 when TLS took over.
This link ensures that all data that is passed between the web server and browser stay private.
When you visit a website that has a form and you fill out your information, SSL helps keep it secured. If you did this on an unsecured website, that information could be intercepted by (yikes) hackers.
It’s often used for user account pages, online checkout, and any site where important or sensitive information is used.
With SSL, your browser will form a connection with the server, look around for an SSL certificate, and then connect together with your browser and the server.
The connection is secure so that only you and the site that you submitted the information can access or see what you input in your browser.
The connection is instant and is typically faster than an unsecured website. If you have a website with SSL, you’ll score much better with SEO as well as security.
Why Do We Use It?
Simply put…to stay secure!
It’s important that information doesn’t get into the wrong hands and you feel at ease when transmitting personal information online.
Otherwise, some crook might take that money you were going to use on vacation and go on one himself.
What’s the Importance of It?
It’s important to keep information safe when online.
With SSL, sensitive information is sent across the Internet encrypted. That means only the intended receiver can access it.
Also, an SSL certificate provides authentication. This ensures that you’re sending the information to the right place and not some hacker who is trying to swipe your information.
SSL providers are important to help verify a company. They use several identity checks to make certain that the website is who they say they are.
A browser or a server will attempt to connect to a website with SSL. The browser then asks (requests) that the web server identifies itself.
The web server will then send the browser (or server) a copy of its SSL certificate.
The browser checks it out to make sure it can trust it. If it can, it sends a message to the webserver.
From here, the webserver sends back an acknowledgment that’s digitally signed. This starts an SSL encrypted session.
Data between the browser/server and the secure SSL server is shared securely because it’s encrypted.
Getting Set Up in the Hub
This is extremely easy to set up because, well, it’s already done for you!
All websites that are hosted with WPMU DEV are provided with SSL certificates.
Considering how unsafe unsecured sites are, it’s essential for us to provide members with this automatically.
You can see the SSL status of your site by clicking on your website’s URL, then Hosting>Domains.
It will have a green checkmark underneath SSL status if all is running well.
Keep in mind that when you add a site, it may take several minutes for a certificate to be ready.
Sometimes the process can take hours or, in very rare cases, an entire day. It just depends on how fast your DNS settings propagate.
Custom SSL Certificates
Adding a custom SSL is an option for you as well with our hosting.
The first thing you’ll need to do is submit a Certificate Signing Request (CSR) to a Certificate Authority. Certificate providers (e.g. CSR Generator) usually have tools or can assist you in generating the CSR.
When you obtain the CSR, it’s important to save a copy of the Private Key.
Now, you’ll use the CSR to purchase the SSL certificate. This will give you a Private Key, Certificate, and Certificate Chain.
Your SSL provider should be able to provide you with this information if they create a CSR with their interface.
Keep in mind, you can use wildcard SSL certificates, too.
Our team can upload those for you exactly like non-wildcard certificates.
Also, our support staff can help with adding custom certificates. You can start a live chat or create a support ticket. Either way, we’ll get you all set up.
To learn more about SSL, be sure to check out our article How to Use SSL and HTTPS with WordPress.
Whenever you see SSL being mentioned, you’ll often see TLS, too.
So, what’s TLS?
TLS (Transport Layer Security) is the standard security protocol that is designed to facilitate privacy and data security over the Internet.
It encrypts the information that is being communicated between web applications and servers (e.g. web browsers loading a website).
You often see the name SSL/TLS used interchangeably. TLS is basically an upgraded version of SSL. However, there are a few minor distinctions.
Here are five of them:
- Alerts: TLS protocol is to remove the alert message. It replaces it with several other alert messages. Meanwhile, SSL has a No Certificate alert message.
- Cipher Suites: TLS doesn’t offer any support for Fortezza cipher suite, however, SSL does. TLS follows an improved standardization process that helps make defining of new cipher suites simpler (e.g. RC4).
- Handshake: With SSL, the hash calculation additionally encompasses the master secret and pad. With TLS, the hashes are calculated over the handshake message.
- Record Protocol: TLS uses HMAC, which is a hash-based message authentication code. It’s used after each message encryption. SSL uses Message Authentication Code (MAC) after encrypting each message.
- Message Authentication: TLS depends on HMAC Hash-based Message Authentication Code while SSL authenticates by adjoining the key details and application data in an ad-hoc way.
As you can see, they’re different but are also very similar in nature.
You also now know why you often see SSH/TLS together. TLS fixes some of the security vulnerabilities in the earlier SSL protocols.
Something to remember is that your certificate is not exactly the same as the protocol that your server will use. That means you do not need to change your certificate to use TLS.
Sure, it may be labeled as an SSL certificate, but your certificate already supports both the SSL and TLS protocols.
If you’d like to check out what version of SSL/TLS your web browser is using, you can cruise over to the How’s My SSL tool. It’ll show you instantly.
TLS is going to become more and more common of a term than SSL soon, so get used to it. After all, TLS is the standard.
Now that we’ve looked at SSH and SSL/TLS — what are the similarities and differences?
I’ve gone over how they function and what they do, however, the big takeaway is they both use encryption to protect data that is being passed between two network devices.
Here’s a quick breakdown of some of the essential differences between the two:
While we are comparing security protocols and acronyms that start with “s,” the other protocol you should know about is when to use SSH vs SFTP.
This is important if you plan to access files on your hosting server securely. Fortunately, we have written an entire article about it here: What is SFTP? How to Transfer Your Files Securely.
Feel Secure Yet?
Security has many layers and differences, as you can see. A strong password isn’t the only thing that’s going to protect you.
Both SSH and SSL have their unique purposes and do what they can to help.
SSL is the primary requisite of security on the web, SSH is an added safety feature of it. When you add TLS into the mix, all three of them render strong and mighty security and safer communication in the web hosting process.
SSH does have some additional features, such as providing multiple data channels to its applications.
It supports the execution of remote programming, TCP connections, and more, which makes it often used by web hosting companies as the sole security protocol.
However, when implemented correctly, they all work well to help keep your information secure.
And now the big difference between SSH and SSL is you’re no longer confused by them.