Reputation: 34188
How SSL and Certificates work between server & browser
i do not have good understanding about how SSL and Certificates work between server & browser. so i got a little write up on this from this site http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html whatever they said not very clear to me
they said
1) A browser requests a secure page (usually https://).
2) The web server sends its public key with its certificate.
3) The browser checks that the certificate was issued by a trusted party
(usually a trusted root CA), that the certificate is still valid and that the
certificate is related to the site contacted.
4) The browser then uses the public key, to encrypt a random symmetric
encryption key and sends it to the server with the encrypted URL required
as well as other encrypted http data.
5) The web server decrypts the symmetric encryption key using
its private key and uses the symmetric key to decrypt the URL and http data.
6) The web server sends back the requested html document and
http data encrypted with the symmetric key.
7) The browser decrypts the http data and html document using
the symmetric key and displays the information.
see the point 2
browser request a secure page and web server just send the public key with certificate with no page or data to browser?
if possible please discuss point regarding what happen when browser request any https page. thanks
Upvotes: 2
Views: 8280
Answers (2)
Reputation: 46040
TLS handshake happens (and is complete) before any HTTP requests are sent. And the handshake involves several messages being sent between the client and the server and back.
Here's more detailed description of SSL/TLS handshake.
So any HTTP requests are sent only after the SSL/TLS layer is ready. Doing otherwise would impose a security risk.
Upvotes: 3
Reputation: 310840
1) A browser requests a secure page (usually https://).
No. The browser negotiates a TLS connection in which steps 2 and 3 and some others take place. Then the browser requests a secure page and step 6 happens.
2) The web server sends its public key with its certificate.
3) The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
OK up to here.
4) The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5) The web server decrypts the symmetric encryption key using its private key
4 and 5 are complete fantasy, but a common delusion. What really happens is a key negotiation algorithm whose precise nature depends on the cipher suite, but which never involves transmitting the session key.
and uses the symmetric key to decrypt the URL and http data.
6) The web server sends back the requested html document and http data encrypted with the symmetric key.
7) The browser decrypts the http data and html document using the symmetric key and displays the information.
Correct.
Upvotes: 5
Related Questions
- How does the client verify servers certificate in SSL?
- How exactly TLS/SSL works regarding client certificate?
- How does SSL actually work?
- Understanding how certificates work in a client-server interaction
- How does SSL really work?
- How client's SSL/TLS certificate is sent from a client (browser) to a server
- How Web broswer's ssl works
- how ssl works in web development?
- SSL Certificates and browser to web-server connectivity
- Does the browser send its own certificate to the Web server during https communication?