https
http running on top of ssl or tls
So, before sending http:
- the server sends a certificate, signed by a trusted certificate authority to authenticate the server identity
- the client verifies the server's authenticity
- the server and client create a symmetric key, e.g. using Diffie-Helman
Future http exchanges are encrypted using the symmetric key
1. why not use the private key to encrypt http?
- slow
- English text is low entropy – might allow the private key to get broken (?)