Before we get started, let's just have a refresher on how the browser-to-server encryption works and what we need to consider. This is a very brief overview specific to a basic web server scenario, so the process can vary for different scenarios:
Following are the steps that happen in a web server scenario:
- First, the browser communicates with the web server and requests the start of an SSL handshake. This is also where the browser can let the server know what cipher (encryption) algorithms it will allow.
- Next, the server responds to the browser. At this stage, the server will confirm which cipher (based on the list provided by the browser) will be used. The server will also send a copy of the public certificate to the client. The browser will then communicate with the Certificate Authority (CA) to authenticate the certificate.
- Next, the key exchange is kicked off. A session key is established. This key is based on the public key on the client side and decoded by the private key on the server side.
It's important to note that the private key is never transmitted; it always remains on the server.
- Once the session key is complete, the client will send a final confirmation to complete the handshake and await a reciprocal finalization from the server side.
- Finally, we have a secure tunnel in which encrypted data can now be transmitted. This is where the actual web content can now be sent.