Many of our clients here at SourceTOAD accept payments or other sensitive information through their sites. To prevent unseemly people from trying to intercept this information as it travels over the Internet, we encrypt it via a Secure Socket Layer (SSL). SSL is open source software that is completely free to use, so clients are often surprised when they have to pay extra money for an SSL certificate for their site. In fact, purchased SSL certificates are not technically necessary for SSL encryption to occur and be completely safe from prying eyes. However, for all intents and purposes, a secure Internet site used by the general public cannot be run without one.
Let me start off by giving a very basic explanation of how SSL works. A secure server consists of three components: a certificate, a public key and a private key. All these components are linked together in various fashions, and all are required for SSL to work. When a person—well, a person's web browser—comes to the secure site, the browser and the server connect together with a “handshake.” During this process, the server and the browser decide upon an encryption procedure using the server's private key. Note that the browser is never given the private key. Next, the server sends the certificate and public key to the browser (over the Internet, where everyone can see). The browser then looks at the certificate and confirms the information about the site is authentic. Finally, using this handshake information along with the public key, the browser and server can talk to each other securely. Even if everyone saw everything that was sent back and forth, they still would not be able to decrypt the messages... Pretty cool, huh?
Of note is the fact that the certificate isn't really used in the encryption and decryption process. The importance of the certificate is in establishing identity. That is, you want to make sure the site you are sending secure information to and from is actually what it seems to be. SSL doesn't just want to guarantee your communications are secure, but also that you are actually talking to who you think you are. All SSL transactions require a certificate attesting to this fact. The catch is, that, to verify the authenticity of the certificate, it must be signed by someone.
This is where payments arise. You are paying for someone that is credible and trusted (trusted by your browser that is) to sign your certificate. These people are called Certificate Authorities, and their credentials come pre-installed in your browser. Your browser only trusts certain people to sign those certificates, and you must pay them for this service. So, you aren't paying for encryption, you are paying for verification that you are in fact who you say.
Now, as I said earlier, you don't technically need to pay for a certificate to get signed. You can sign a certificate yourself, and encryption over SSL will work just fine. The catch is that no browser will trust your self-signature. Every time someone comes to your secure website, the browser will throw up a huge warning saying, “I don't trust this certificate, I can't verify it really is what it claims to be.”
Clearly, you can't have this happening on a website where the general public goes. They'll immediately leave. However, if only a few people in your organization are going to the site, and you don't mind modifying your browser settings to trust your own signature, you can get away with signing a certificate yourself. This won't cost you anything and still will deliver the same level of encryption. In practice, it really only works on development servers. Unfortunately, almost always, you have to pay up.