My understanding as as follows:
Client requests a secure connection with a Website's Server
Server provides a certificate with the address of the server and public key of the server encrypted with a Certificate Authority's (CA's) private key.
Client then decrypts that certificate with the public key of the CA which is packed with the OS/browser and verifies it is an authentic certificate from the CA which has not been decommissioned. The client now knows we can trust the server.
Client then provides their public key encrypted with the server's public key.
The two can now communicate securely with the data sent from the client being encrypted with the public key of the server and decrypted by the server with the private key of the server and with the data sent from the server being encrypted with the public key of the client and decrypted by the client with the private key of the client.
Since the private keys are kept private and not distributed even if some malicious agent gets hold of the encrypted data traffic since it was encrypted with the public key they cannot decrypt any of it unless they have somehow got hold of one of the private keys.
Is this understanding correct?
