Where does SSL encryption take place?

  • I checked the data transmission of an HTTPS website (gmail.com) using Firebug. But I can't see any encryption to my submitted data (username and password). Where does SSL encryption take place?

  • Polynomial

    Polynomial Correct answer

    9 years ago

    The SSL protocol is implemented as a transparent wrapper around the HTTP protocol. In terms of the OSI model, it's a bit of a grey area. It is usually implemented in the application layer, but strictly speaking is in the session layer.

    Think of it like this:

    1. Physical layer (network cable / wifi)
    2. Data link layer (ethernet)
    3. Network layer (IPv4)
    4. Transport layer (TCP)
    5. Session layer (SSL)
    6. Presentation layer (none in this case)
    7. Application layer (HTTP)

    Notice that SSL sits between HTTP and TCP.

    If you want to see it in action, grab Wireshark and browse a site via HTTP, then another via HTTPS. You'll see that you can read the requests and responses on the HTTP version as plain text, but not the HTTPS ones. You'll also be able to see the layers that the packet is split into, from the data link layer upwards.

    Update: It has been pointed out (see comments) that the OSI model is an over-generalisation and does not fit very well here. This is true. However, the use of this model is to demonstrate that SSL sits "somewhere" in between TCP and HTTP. It is not strictly accurate, and is a vague abstraction of reality.

    Not sure about the OSI model comparison. The TCP/IP model itself doesn't quite fit into that model (see details on the TCP/IP section of the Wikipedia article).

    @Bruno I'm not sure I get what you're saying. TCP/IP is a *suite* of network protocols, whereas TCP and IPv4 are distinct protocols at individual layers in the OSI model. The OSI model makes a good abstraction in this case, because it shows where SSL sits. It doesn't need to be 100% accurate - nothing ever is with such abstractions - it's just there to aid understanding.

    I'm just saying that the OSI model is widely taught as a theoretical concept, but the TCP/IP stack (one of the most used stack of protocols) doesn't fit into that model unambiguously unfortunately. In fact, the Wikipedia page puts SSL/TLS in layer 6 (presentation), not 5 like your answer. Propagating that OSI model doesn't actually help in many cases and this layer can be very "artificial". Of course, it's a model, it will always be artificial, but the model doesn't always easily fit the reality, which gets worse when you consider protocols like VPNs for example. Even SSL/TLS doesn't quite fit

    @begueradj As we've already discussed, TLS doesn't really fit anywhere in the OSI model. Strictly speaking, it's layer 7, not 5 or 6, but in terms of where you'd place it in terms of network protocol encapsulation it sits between TCP and the application, so 5 and 6 make sense. The distinction between 5 and 6 is also a grey area, because TLS does a lot more than just encrypt the data. So, as I've said before, **this is an oversimplification** and is **only** meant to express its position in the network stack in a practical sense.

    SSL is not 'implemented as a transparent wrapper around the HTTP protocol'. You could so describe HTTPS, but not SSL.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM