NB Like this 2009 article, that cartoon is explaining a mechanism which is now obsolete. Your browser still knows how to do things that way (for at least a while yet), but it would rather not because it's less safe for you.
The TLS 1.3 walk through somebody else linked represents more or less what an actual browser does when talking to many popular sites, and even though TLS 1.3 isn't a majority of sites yet the behaviour for most (but not all) TLS 1.2 sites now more resembles that than these older articles in crucial ways.
Most essentially, we do not do RSA kex (client picks random secret, encrypts it with RSA, sends it to the server, thus implicitly verifying the server knows the RSA private key) unless that's the only permitted way to get access. For whatever reason people like explaining RSA key exchange, long after we don't like using it because it isn't Forward Secret.
There is no TLS 3.0. The published standard is TLS 1.3, even though it's fundamentally quite different from TLS 1.2 and in the end it wasn't even possible to re-use the version system from TLS 1.2, the standard is still named TLS 1.3
qntmfred|5 years ago
tialaramex|5 years ago
The TLS 1.3 walk through somebody else linked represents more or less what an actual browser does when talking to many popular sites, and even though TLS 1.3 isn't a majority of sites yet the behaviour for most (but not all) TLS 1.2 sites now more resembles that than these older articles in crucial ways.
Most essentially, we do not do RSA kex (client picks random secret, encrypts it with RSA, sends it to the server, thus implicitly verifying the server knows the RSA private key) unless that's the only permitted way to get access. For whatever reason people like explaining RSA key exchange, long after we don't like using it because it isn't Forward Secret.
ktpsns|5 years ago
Biganon|5 years ago
tialaramex|5 years ago