loading...

re: Securing your website in 4 minutes - What, Why and How of HTTPS VIEW POST

FULL DISCUSSION
 

Hi there's a couple of bits about certificates and keys that aren't quite right there. Public keys aren't used to decrypt things as you mentioned. They are used to encrypt in the context of end-to-end encryption, or to verify signatures often in the context of certificates. So when the client receives a server certificate, it likely is signed by a Certificate Authority. This signature is in the form of the certificate content hash being encrypted using a super secure private key. The decryption you speak of upon receiving a certificate from the server is actually the client verifying that the signature is valid.. i.e. that the server is who it says it is. The certificate has the Certificate Authority's signature, the encrypted hash of the certificate content, along with the public key. So the client also performs the same hash of the certificate, decrypts the signature using the public key, and sees if the hashes match. If it does, it proves the owner encrypted it with their private key, and also proves the certificate content has not been tampered with.

The actual encryption of the messages sent over Https is done through TLS, and the public/private key pairs here are used to encrypt a shared key (symmetric).. if I were to go on about TLS handshakes here though, this comment would become a bit lengthy!

 

Thanks for clarifying Vin! I'll make the changes in the post

code of conduct - report abuse