What is the series of steps needed to securely verify a ssl certificate? My (very limited) understanding is that when you visit an https site, the server sends a certificate to the client (the browser) and the browser gets the certificate’s issuer information from that certificate, then uses that to contact the issuerer, and somehow compares certificates for validity.
- How exactly is this done?
- What about the process makes it immune to man-in-the-middle attacks?
- What prevents some random person from setting up their own verification service to use in man-in-the-middle attacks, so everything “looks” secure?