I was reading this article, specifically the "SSL in action" part. It says:
When Client connects to company.com on its SSL-secured port, the company sends back its public key (and some other information, like what Ciphers it supports).
…
Once the client is happy with the server (and the server with the client, if needed), then the client choose an SSL Cipher to use from the list of encryption methods provided by the server, and generates a “symmetric key” (password) for use with that Cipher. The client encrypts this password using the server’s public key and sends it back to the server. The server (and only the server) can decrypt this message and get this password, which is now shared by both the client and server.
So, my understanding is that there is only one public key; the one that is given to company.com by the trusted 3rd party (thawte/godaddy/verisign etc). The client then chooses to accept this key/certificate and then sends a password used to encrypt future communications.
If there is only one public key, then can't a hacker just go that site once, get a copy of the public key, then intercept the client as he sends the password, decrypt it using the public key he already has, and then spy on all future communications? What prevents that?
The part I don't understand is
The server (and only the server) can decrypt this message and get this password
Why can only the server decrypt the message? What prevents others from decrypting it?
Best Answer
The Public Key is one way. You can not decrypt the communication with it. You need the private part of the key pair to do the decryption.