ESTABLISHING THE CONNECTION
Unlike requesting a regular (http) web page or script, the browser and
server must go through a few gyrations before anything can happen of
interest to the reader. Here is a simplified outline of how the SSL
connection is made.
The browser asks to start a secure session with the server.
The server returns the site's certificate.
The browser checks the certificate information for validity.
The browser creates a session key which is encrypted with
the server's public key which is then sent to the server.
The server then decrypts this information using its private
key.
Both the browser and the server now are using the same session
key.
As the webmaster, you can have a level of control of which method
and strength of encryption is required. There are environment variables
available to your pages and scripts that allow you for example, to
see if 128 bit encryption is supported by the browser. If you have
a policy of enforcing very strong encryption, then you can send a
message back to the user suggesting they download a 128 bit
enabled browser.
NOW WHAT?
Once both the browser and the server are using the same secret
key for encrypting and decrypting their information, they can
then have a certain amount of comfort in knowing their information
cannot be intercepted and decoded by a third party. Of course,
this depends on whether strong or weak encryption is used.
For the visitor to you site, the little lock icon will appear on
their browser. As long as you continue to use the https:
protocol, everything between the browser and your scripts is
handled tranparently without you having to worry about the
details.
