0

Let's assume that I am logging into my Gmail account from my browser using my username and password. I know that my input will be encrypted using Google's private key and the only one who can decrypt it is Google's server. So Google's server will read it and send the response to me using WHAT key?

I am thinking “if Google uses their own private key then the man-in-the-middle could decrypt the response using Google's public key and can read my emails”

How is the response secured then?

schroeder
  • 125,553
  • 55
  • 289
  • 326
yusuf tezel
  • 111
  • 5
  • Welcome to the community. It is being encrypted using Google's **private** and not public key in a PKI scenario... – Sir Muffington Dec 18 '22 at 15:57
  • Thanks @SirMuffington, the keys are symmetric it doesn’t matter as I understand. – yusuf tezel Dec 18 '22 at 16:02
  • 1
    *"I know that my input will be encrypted using googles private key "* - No. You have the wrong understanding of the basic concepts in TLS.. That's why I marked it as duplicate of a question which explains how TLS works. – Steffen Ullrich Dec 18 '22 at 16:11
  • #3 is not quite right. Check out the link that I posted in my answer, and look at how the master secret is generated, and how it is used to encrypt the request from the client and the response from the server. – mti2935 Dec 18 '22 at 23:06
  • 1
    You seem to have some major misconceptions about TLS (which is understandable for a beginner). The linked duplicate has answers that explain TLS correctly in detail so it should help you understand TLS properly, and in the process you will also figure out the answer to your question. – nobody Dec 19 '22 at 08:48
  • If the linked Q&A is too difficult, then all you need is a basic explanation of how TLS works, which is what the answer you accepted provides. Either way, the duplicate is correct and appropriate. – schroeder Dec 19 '22 at 11:00

1 Answers1

1

During the TLS handshake, your browser and Google's server negotiate a secret symmetric key that is known only to your browser and Google's server. Your browser encrypts the http request using this symmetric key and sends the encrypted request to Google's server. Then, Google's server encrypts the response using this same symmetric key, and sends the encrypted response back to your browser.

This is perhaps somewhat of an oversimplification, but see https://www.moserware.com/2009/06/first-few-milliseconds-of-https.html for some interesting reading on this subject if you are interested in more detail as to how all of this happens. Note, this write-up is based on TLS 1.0, which is an older TLS protocol. Newer versions of TLS (such as TLS 1.2 and TLS 1.3) use a more complicated handshake, so it may be better to start by getting a handle on TLS 1.0 first.

mti2935
  • 21,098
  • 2
  • 47
  • 66