Let’s discover how a client and a server communicate through the HTTPS protocol.
First Bob request the server by a web request, and he forwards TLS usefull information:
Now the server responds to Bob by a “Server Hello”:
Then server goes on with another message related with its certificate:
All the information from the server has been sent to the client.
Now the client has to verify that the signature is correct, “that is really the DVWA web server the client is communicating with”.
The DVWA signature is generated from the website certificate along with website public key, the both have been hashed. Then the certification authority cipher the hash value using its own private key.
It means that the website is trust because it has a certificate signs by a CA.
The owner of the website is also trusted because he gives personal information to a certificate authority such as address, name, and organization to make a certificate.
Now because the certificate has been verified, the TLS process can go on.
The client will now generate a pre-master key, ciphered using the DVWA public key.
Now Bob sends the new key to the DVWA server though a ciphered packet:
The DVWA server deciphered the server using its private key:
Then a pseudorandomized function is applied and with provided the client 32 bits, the server 32 bits and the shared pre-master key:
Now Bob request a page on the webserver, the HTTP request will be cipher using the symmetric primary key, the master secret:
The packet goes ciphered to the server:
Finally the DVWA server deciphers the packet using the primary key:
You know now how your traffic goes ciphered on Internet on a website having a certificate implemented ! 🙂