Although the Secure Sockets Layer (SSL) is a protocol designed specifically for web browsers to securely access web-based applications, the fact that it encrypts information and that it authenticates at least one of the parties, also makes it a Virtual Private Network (VPN). One of the best things about this protocol is that most computers have a browser; that means that no new software needs to be added to the client in order to use this method.
A very simplified explanation of how it works is like this: The browser client asks for a secure session with the web server. If the web server can support an SSL session, it says what it supports and sends back a certificate that includes the server’s public key as well as some other information to negotiate a secret key. The client checks the certificate and decides whether to trust the server; if it does, it encrypts some information with the server’s public key and sends it back. The information is used to compute the secret key and the rest of the session is encrypted with that shared secret (symmetric key cryptography).
It’s important to note that only the server was authenticated. Although the protocol includes methods for authenticating the client, this simple method is most commonly used. Without additional steps, like the use of IDs and passwords or tokens, the client is anonymous.
Another of the drawbacks is that needed information may not be available to a browser without the added expense of developing web services. Where a VPN is needed for access to many, non-web enabled applications, an IPsec VPN may be a better solution.