I was just reading about the differences between http and https briefly. And what I have not understood is the following possible scenario:
Everyone has SSL public key right?
So, anyone can get the public key from a web server and then use it to decrypt the messages sent from the web server? This way, if the web server sends any secret information, the intruders can know that, right?
I understood that private key is with the web server, so only the web server can decrypt the encrypted message (using public key) send by the browser. And so the data sent from the browser is secured. But I doubt if the data received from the web server is really secured.
Or let's say if the public key changes from user to user. But the intruder can hack it when the browser sends it for the first time right?
Please correct me if I understood it wrong.
EDIT: Okay, I think I get it from the description provided by the questioner in this link:
How does SSL work? Isn't there a hole?
It says:
When Client connects to company.com on its SSL-secured port, the company sends back its public key (and some other information, like what Ciphers it supports). ... Once the client is happy with the server (and the server with the client, if needed), then the client choose an SSL Cipher to use from the list of encryption methods provided by the server, and generates a “symmetric key” (password) for use with that Cipher. The client encrypts this password using the server’s public key and sends it back to the server. The server (and only the server) can decrypt this message and get this password, which is now shared by both the client and server.
It means that the client won't encrypt just with the public key he has, but uses a password that he generated (symmetric key) which will be shared with the web server using the public key encryption. And only the web server can know the password shared by the client, as only he owns the the private key part. So, both the web server and the client uses the symmetric key to encrypt messages, which no one knows or can intrude.
Am I right?