Https Basic Notes

The basic https encryption process
Scenario: Tom wants to visit XXX.com through https
Step1: Tom visit XXX.com, XXX.com provide its certification to Tom's browser
Step2: The browser gets XXX.com's public key which is stored in the certification
Step3: The browser generates a symmetric key and encrypts this symmetric key with the public key it gains in step2. After that the browser sends this encrypted message back to XXX.com's server.
Step4: XXX.com decrypts this message using its private key and gets the symmetric key
Step5: XXX.com and Tom begins to talk with other by using this symmetric key

But how can we know the certification provide by XXX.com is not faked(sometimes we may use proxy and the certification may not be provided by the actual XXX.com)
First we should know digit signature. A digit signature is generated in the following process

plain text->hash algorithm->abstract->private key encryption->digit signature

The certification itself contains enough information to prove itself. It contains following key parts:

1. CA - certification issuer
2. digit signature of this certification (encrypt by CA's private key)
3. XXX's public key
4. hash algorithm -> used in the digit signature

With these background information, we can know how to detect faked certification.

1. When the browser get a certification from server, it can check CA. Modern browser already has build-in information of the major CA. If browser can't find this CA, this certification can not be trusted.
2. If the CA information is correct, browser can decipher the digit signature using CA's public key since the digit signature is encrypted by CA's private key. If it can not be decrypted, this certification may be faked.
3. If the digit signature is decrypted correctly, we can get the abstract. Then browser can use the hash algorithm provided by this certification to calculate a hash text - H. If H is not same as the abstract, we can detect that this certification has been cooked during the transfer. 

Reference
https://en.wikipedia.org/wiki/Certificate_authority
​​https://segmentfault.com/a/1190000004523659