I know what SSL do but how they do is is little bit confusing. I am little bit lost in the SSL life cycle understanding. If I am not understanding wrong then
1. Basically, server will send a certificale, data and a public key to the browser.
2. Browser will save the certificate and send back all the data with Public key encryption.
3. Server will recieve the data and will decrypt it with the private key that it has and then sends back the remaining communication data.
4. Now, a unique session is generated between server and client and they can user unique session key to communicate with each other. and then nobody can sniff the data.
Now, please correct me if my understanding is worng. But if my understanding is right then I have few question.
1. If browsers(clients) can only encrypt the data NOT decrypt the data using public key then how about the data which is travelling from server to client. because client does not have anydecoding algorith that data can not be encoded and server has to send the data without any kind of encryption.
2. If we are introducing this fundamental of public and private key then what is reason of session key? Why we do not use this SSl public and private key thing whole through the communication?