How does HTTPS work?

6,050 Expert 4TB

I mean, I understand the gist of it to go something like:

Browser receives certificate from server
Browser then queries that this certificate is valid
The two swap encryption keys for deciphering the encrypted data

Of course it's a little more involved than that, and I may be wrong in my understanding (please correct me, if so). But what I don't understand is: how is this secure? Surely if the server and client are swapping the keys for the encryption this data has to be sent over the network and just like any other data it can be observed. So what do I not understand properly?

Oh, and hi everybody!

Jan 26 '11 #1

Follow Post Reply

✓ answered by Banfa

You are missing a rather important point which is that the certificate contains the sites public key. Once you have queried the certificates issuer to verify it you can then send data to the site encrypted using the public key.

Because it is a public key the data is secure since the public key can not be used to decrypt the data and the browser can use this encrypted link to securely send the required key to the remote site allowing a fully encrypted and secure link to be set-up.

Try reading everything linked to starting at

http://en.wikipedia.org/wiki/HTTP_Secure

6220

Banfa

9,065

Expert Mod 8TB

Jan 27 '11 #2

Markus

6,050

Expert 4TB

Ah! Well that makes sense.

Thanks.

Mark (goes to read)

Jan 27 '11 #3

numberwhun

3,503

Expert Mod 2GB

If I may add something as I deal with HTTPS and AS2 connections daily at work (I support a large corporate banking e-commerce system).

With HTTPS, while the certificates (as you mentioned) are passed over the network, the connection that is eventually established between the two sides is encrypted by the SSL keys. Then, the data files are then encrypted either by the SSL keys or something like PGP, and sent over that encrypted connection.

Hope this also helps.

Regards,

Jeff

Jan 29 '11 #4