Where SSL makes a website safer?
Encryption. In normal HTTP, data is sent to plaintext within the network packets and someone using a Sniffer, which is a program that captures the packets, you can see their contents.
However, if the content of the data you traffic on your connection is of important confidentiality (e.g., banking data, personal emails, etc.), SSL* provides you with a strong and very difficult to crack** encryption (and HTTPS is nothing more than HTTP over SSL). This way if someone inspects their data packets without knowing the cryptographic keys used, the content will consist only of a seemingly random and meaningless sequence of bytes.
What are the types of attacks they avoid?
Mostly attacks based on data interception. If the packets are intercepted, for those who have no knowledge of the cryptographic keys used, their contents will make no sense.
Also, without SSL, someone could maliciously alter the contents of the packets between source and destination, after all they transit in plaintext, unencrypted. With SSL, this becomes virtually impossible, because without having the cryptographic keys you cannot make significant changes to the package without making it appear to be simply corrupted (then discarded altogether). The most an attacker can achieve with this is to destroy the packets, not modify them.
In the implementation of an SSL, there is some security relationship against some types of attack like CSRF for example?
No. Hence it is already something that should be implemented by the application, it is not the responsibility of the transport layer (which is where SSL is).
(*) - SSL (Secure Sockets Layer) was replaced by the TLS (Transport Layer Security), but this is a detail irrelevant to your question. SSL had three versions: 1.0, 2.0 and 3.0. And then came TLS 1.0, 1.1, 1.2 and 1.3 is being designed. In practice, TLS 1.0 is nothing more than a 3.1 SSL that has decided to change its name to standardize it with the IETF (Internet Engineering Task Force).
(**) - In reality SSL allows both parties to negotiate which cryptographic protocol will actually be used, and if both agree to a weak protocol then security is not assured. This is why it is important to set the server to reject Cipher suites insecure, many of them enabled by default in the installation. ssllabs has interesting tools to test the server and the browser.
I thank Omni and mgibsonbr for the suggestions given in their comments.
I was responding but as you are already satisfied with the answer given nor need post anything else.
– Maniero
@bigown It’s not every day that I can outrun the Brazilian Jon Skeet. : D
– Victor Stafusa
@Victor And where is he? : P
– Maniero
@bigown Guess? Tip: is the guy who has the biggest reputation of the site and is known by his eye.
– Victor Stafusa
No, the fact that I answer a lot and have a high reputation does not compare me to Jon Skeet who has technical competence and proven communication skills. My reputation only reflects the dedication to website, nothing else. I consider myself a mediocre professional and envy the users here who master many things better than me. And it is not false modesty, because I do not have this quality/ defect :P It is only a reality check. At best I’m the dirt under Jon Skeet’s fingernail :)
– Maniero
@Bigown Although we are using the comments for chat Offtopic, I must say that its reputation reflects much more than just dedication, also reflects quality, expertise, technical competence and proven communication. And if you are someone mediocre on the site, then that would mean that there would be no one who is good here (which is not true). You can be sure that no one in good conscience considers you mediocre around here and your contributions are of a very high level of excellence very difficult to achieve.
– Victor Stafusa
The guy is humble :)
– Wallace Maxters