How Does SSL Work?

When the user types https://www.example.com, the browser recognizes the https:// prefix and knows that it must use the HTTPS protocol to connect to the server. When no port is specified, the default HTTPS port, 443, is used.

Once a connection is established, the client requests the server certificate. A certificate is an electronic piece of data that describes the identity of an end-point in the SSL communication, and is explained later in the chapter. The certificate is then tested for validity.

Depending on whether the validation process succeeds, the connection process will continue or the user will be informed and asked for confirmation. Optionally, the client can also provide a certificate, and the server will follow a similar validation process.

Once the identity of the server (and of the client, if necessary) has been established, the next step is to agree on a common encryption key. For that purpose, the public keys of each party are used in an algorithm to securely agree on a symmetric key. Later in this chapter, you will learn more about encryption keys and how to generate them. The agreement process is secure against eavesdroppers because when you encrypt information with the server's public key, only the server will be able to decrypt it.

The handshake phase has concluded and now the client and server can proceed with the regular exchange of information. At this point, most browsers will provide the user with visual feedback that the connection is secure, usually with a closed padlock.