When you started reading this comic, your browser displayed a lock on the address bar.
How did that happen?
But first, they needed to agree on how to communicate securely.
This process, the negotiation between a browser and a server, is called 'the handshake'.
It happens very fast. We are going to show you how it works.
Take it away guys!
Ready? Here is what the 'handshake' in slow-motion looks like.
Done!
Let's do it again, but faster.
A-G-A-I-N !
Stop!
Let's break it down. Step by step.
I send a list of SSL/TLS versions and encryption algorithms that I can work with to Compugter. Nowadays, I prefer TLS 1.3, so I send a key_share as well.
A fancy word for the encryption algorithm list is 'cipher suite'.
So you can sound like a pro at the dinner table.
The SSL and TLS protocols have evolved over time, we'll talk more about that soonish.
And then I wait for an answer from Compugter.
I choose TLS 1.3 and a cipher suite. I also returns my key_share. From here, TLS 1.3 encrypts the rest of the handshake.
Immediately after I send my certificate, which includes my public key, so they can verify who I am.
I check Compugter's certificate to make sure they are legit.
Since we both sent a key share previously, we can both derive the same secret, unlocking secrecy.
From ServerHello onward (step two), the handshake is encrypted.
They exchange Finished messages to prove they derived the same secret — and boom, session keys are ready in one round-trip.
Passwords, credit card details, everything.
Simple, right?
Next time you connect to a website securely via HTTPS, give your browser the shaka because you know their secret handshake.