Another way to ask this question is what will happen after typing a https url in your web browser?
- The browser requests secure page (HTTPs) from a web server.
- The server sends its public key with its SSL certificate, which is digitally signed by a third party, or we call Certificate Authority, or simply CA.
- Once the browser gets the certificate, it will check the issuer’s digital signature to make sure the certificate is valid. As we know, a digital signature is created by a CA’s private key, and the browser, either Chrome or Firefox, is previously installed with many major CA’s public keys. Thus, digital signature can be verified. Once the certificate’s signature is verified, the digital certificate can be trusted.
- The browser creates one symmetric key, or a shared secret. It keeps one and gives a copy to the web server. However, the browser does not want to send the shared secret in plain text. Therefore, it uses the web server’s public key to encrypt the secret, and then sends it to the web server.
- When the web server gets the encrypted symmetric key, it uses its private key to decrypt it. Now the web server gets the browser’s shared key.
From now on, all traffic between the client and the web server will be encrypted and decrypted with the same key, a symmetric key.
If this post helped you to solve a problem or provided you with new insights, please upvote it and share your experience in the comments below. Your comments can help others who may be facing similar challenges. Thank you!