- Browser receives certificate from server
- Browser then queries that this certificate is valid
- The two swap encryption keys for deciphering the encrypted data
Of course it's a little more involved than that, and I may be wrong in my understanding (please correct me, if so). But what I don't understand is: how is this secure? Surely if the server and client are swapping the keys for the encryption this data has to be sent over the network and just like any other data it can be observed. So what do I not understand properly?
Oh, and hi everybody!