> As I understand it.... When I connect to a site over https, I 
> receive their
> certificate or public key. When I send data to the site, it 
> is encrypted
> using their public key and can only be unencrypted by their 
> private key which
> they keep locked away with a PEM phrase & restrictive 
> permissions. Now, how
> exactly is the data that is sent to my browser efrom the web server
> encrypted? How does my browser unencrypt it?

That isn't quite how it works. Use of server or client certificates is optional; even if used, they have nothing to do with securing the data exchanged--certificates are used only to authenticate that the other end is really who it claims to be.

The encryption methods, keys, and other security parameters used for a session are negotiated by the two ends as part if the initial handshake protocol. The full-blown handshake looks like this (from RFC 2246):

 Client                                 Server

 ClientHello         --->
                                   ServerHello
                                  Certificate*
                            ServerKeyExchange*
                           CertificateRequest*
                     <---      ServerHelloDone
 Certificate*
 ClientKeyExchange
 CertificateVerify*
 [ChangeCipherSpec]
 Finished            --->
                            [ChangeCipherSpec]
                     <---             Finished

The "Hello" and "Exchange" components are where the two parties offer each other their cryptographic capabilities, decide what will be used, set up the required parameters, and then, at [ChangeCipherSpec], switch to the agreed-upon security.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *