How does HTTPS works?
- Client request for secure Https page.
- Web server respond by sending certificate with public key.
- Client checks the validity of the certificate and create a symmetric session key using the public key and sends it back to Web serer.
- Web server decrypt the symmetric session key using it’s private key and sends page encrypted using the symmetric session key.
- Secure session has now been established between Client browser & Web server.
HTTPS pages typically use one of two secure protocols to encrypt communications – SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an ‘asymmetric’ Public Key Infrastructure (PKI) system. An asymmetric system uses two ‘keys’ to encrypt communications, a ‘public’ key and a ‘private’ key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.
The ‘private’ key should be kept strictly protected and should only be accessible the owner of the private key. In the case of a website, the private key remains securely ensconced on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.