Secure Website Demo

# Secure Website Demo * This demonstration takes you through the entire process of going to a secure website. This is accomplished through the [SSL/TLS](https://computer.howstuffworks.com/encryption4.htm) (Secure Sockets Layer/Transport Layer Security) protocols, and involving symmetric encryption, asymmetric encryption, hashing, keys and [Certificate Authority](https://www.ssl.com/faqs/what-is-a-certificate-authority///) (CA). * For instance, let us instruct our web browser to go to *Citibank's* website. * The browser transmits a list of algorithms it supports to the web server. * The server selects algorithms to use, and sends its digital certificate to the browser. * *Click the link below to see the graphical representation of the above steps:* *https://youtu.be/1DPSXEb_bLA* * The browser, then verifies the digital certificate isn't revoked or expired. * If the certificate is valid, the browser extracts the server's public key from the certificate. ![](https://i.imgur.com/wAvk4bn.jpg) * The browser then generates a random value, known as the [Premaster Secret](https://ldapwiki.com/wiki/Premaster%20Secret) and encrypts it with the server's public key, and transmits the [Ciphertext](https://whatis.techtarget.com/definition/ciphertext#:~:text=Ciphertext%20is%20encrypted%20text%20transformed,the%20ciphertext%20back%20into%20plaintext.) to the server. * The server decrypts the ciphertext with its private key to produce the Premaster Secret. * The browser and server use the same premaster secret to create the same master secret. * The master secret is used by the browser and the server to create symmetric session keys for encrypting, decrypting and hashing. * *Click the link below to see the graphical representation of the above steps:* *https://youtu.be/rOQ2KZrXmBk* #### **How does the browser know that the key on the certificate is Citibank's actual public key?** * The CA hashed the public key of *Citibank* and encrypted it with the CA's private key. That's the field on the digital certificate known as the digital signature. ![](https://i.imgur.com/gFcXwoe.jpg) * The browser retrieves the CA's digital certificate from a trusted root certificate store -- *stored locally on a machine*, and decrypts the encrypted hash with the CA's public key, found on CA's digital certificate. * The browser also hashes the *Citibank's* public key itself. * If the two hashes match, the hash of *Citibank's* public key could only have been encrypted by the CA. * If the hash decrypts with the CA's public key, it could only have been encrypted with the CA's private key. ![](https://i.imgur.com/bfoPYlD.jpg) * This proves that the CA is really the CA, *Citibank's* public key is really *Citibank's* public key. And the website is **Legit** and **Secure**. ### Learn more > The above demonstration just illustrates what happens when one entity is known and has a public key and digital certificate. > How would this work for two parties without digital certificates that have never met or exchanged keys? > https://youtu.be/YEBfamv-_do > **Additional Resourses on how CA works** > https://opensrs.com/blog/2015/05/dv-ov-or-ev-how-to-offer-the-right-ssl-certificate/ https://www.troyhunt.com/extended-validation-certificates-are-dead/ https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/