Basic SSL questions
Warning 1: The Certificate Authority (CA) with which that certificate was registered isn't trusted. How does the browser determine which CAs are trusted by default (without the user having to specify explicity that they trust it)?
Also, if I want to get a certificate from a company, but I'm not sure how all browsers see it in terms of trust, how can I find out? Is there an up-to-date listing of the default trusted CAs for each type of browser and browser version that you use?
Warning 2: The domain name doesn't belong to the owner. So if I own a server on a domain name server1.com, and I register a certificate under server2.com, then server2.com's certificate will give that warning if I use it on server1.com? Is the above correct?
The following questions deal with the SSL 'handshake' process.
1) When does the server give its public key to the browser? If you go to a page that's secured with SSL, does it immediately and automatically respond to the HTTP request with an HTTP response that includes the public key?
Or does it send it somehow before you even get to that page, so the sending of that page to the browser for the first time is encrypted? Or, on the other hand, does it only encrypt the information the user enters on that page and submits?
2) How does the server give the public key to the browser? Is it an HTTP header? HTTP content in the HTTP response?
3) After the browser encrypts the message with the public key and sends it to the server, then isn't all communication from the server to the browser unencrypted (because the server doesn't have the browser's public key)?
Thanks for your help on this.
