The Secure socket layer (SSL) protocol was created by Netscape to make the sure secured transactions between the server and the client(browsers). The third-party Certificate authority(CA) plays a role here in identifying one or both ends of transactions.
Let’s see how it works :
- Browser requests for a secure page (using HTTPS://)
- The web server sends it a public key with its certificate.
- The browser will first check that the certificate was issued by a trusted party.
- Its validity and does it relates to the requested site.
- The browser then uses the public key to encrypt the random symmetric encryption key and sends it back to the server with the URL and HTTP data in an encrypted format.
- The web server then decrypts the symmetric encryption key with its private key and uses the Symmetric key to decrypt the URL and HTTP data.
- The Web server sends back the HTML document and the HTTP-encrypted data with a symmetric key
- The browser decrypts the data and HTML document using symmetric and displays the web content.
You may not be familiar with the terms Public keys and Private keys. Just see the following dig.
Message–>[Public Key]–>Encrypted Message–>[Private Key]–>Message
When we communicate over the network how would we know to whom we are communicating or are we dealing with the right website?
There is a third party who guarantees such websites that the website owner is the person for who they claim. We have to trust this third party and we have to load a certificate in our browser a ROOT Certificate. This certificate includes the owner credentials such as email id, name, certificate usage, resource location, certificate validity, and certificate ID of the person who signs this information.
With all this information it also contains a public key and HASH at the end which ensure that the certificate has not been tampered with.
As we have made minds to trust the third party we also trust the certificate. This is the certificate Path. We have a certificate loaded by a well-known Certificate Authority(CA). The CA is responsible to maintain the list of all signed and revoked certificates. Signed certificates cannot be modified and are secure.