When we access the HTTPS website in the browser, let's say Google, the google server sends the server public key and the certificate which was signed by CA to the user. Now the user's browser verifies the authenticity of the certificate. It does this by verifying that the certificate was issued by a trusted Certificate Authority (CA). Browsers come pre-installed with a list of trusted CAs. It checks the digital signature on the certificate using the CA's public key. If the signature is valid, it means that the certificate hasn't been tampered with and was indeed issued by a trusted CA. As told in the above steps, Google sends its public key when we enter https://www.google.com in the browser. Any data encrypted with this public key can only be decrypted with Google’s private key which Google does not share with anyone. After certificate validation, the browser creates a new symmetric key let us say “Session Key” and make 2 copies of it. These keys can encrypt as wel
A blog is all about cyber security, WAPT, VAPT, API Security Testing, Scripts, Automation and Random stuff