How Does SSL Work?


Below is a very simple overview of how SSL works in an asymmetric browser to web server scenario. 




1. The client browser (eg Internet Explorer, Google Chrome, Safari etc) requests a secure HTTPS page by typing in .


2. The web server responds by sending SSL certificate and public key.


3. The clients browser checks the validity of certificate then creates symmetric session key using the public key and sends it to web server. The check includes

– Verifying the certiciate hasn't expired

– Checking the certificate is in an active state (eg not revoked)

– Comparing the Common Name (CN) of the certificate to the actual website the user browsed to (eg if the user typed in but the certificate name was registered to then it would throw an errror/warning)

– Verfiying the certificate was issued by a trusted party (eg Geotrust, Thawte etc)


4.  The web server decrypts symmetric session key using its private key and sends page encrypted using symmetric session key


5. The client browser & web server can now continue to communicate securely by encrypting/decrypting all data with symmetric session key