How does the HTTPS connection work?*
With HTTPS encryption, both the web browser (client) and the server work with a key known only to them. To ensure that this key is only visible to the client and the server, it is generated and transmitted in three steps:
- The server (e.g. a web store or a bank) sends data for asymmetric encryption (the public key) to the client (web browser). Asymmetric means that this information can be used to encrypt other files, but cannot be decrypted again. Attackers could record this data, but not do anything with it for the time being.
- The client (web browser) can generate a secret symmetric key and now encrypts this with the data from the web store (public key) and sends it back to the server. The server has the relevant information to be able to open the asymmetric encryption (with its private key) and thus obtains the client's symmetric key. A symmetric key means that data can be encrypted and decrypted with this key.
- All subsequent communication between server and client is then only encrypted using the shared symmetric key.
Even if the "man-in-the-middle" stands in between and tries to open the encryption with the spied data, this does not work.
*) using the RSA method as an example
To describe the whole thing more figuratively:
In the first step, a lock is sent from the web store to the client. The "man-in-the-middle" copies the lock. When the client now transfers their personal data, they seal it with the lock and send it back to the web store. If the attacker now tries to open the lock, they "only" have the copied lock. And they cannot use it to open the lock. However, the webshop has a personal key with which it can open the lock.