Re: Someone forgetting how https actually works?
@just_me: the browser doesn't send a key (except for very secure sites, where the server asks for a certificate from the browser to prove the browser's identity - not relevant, since the vast majority of us don't have certificates and don't try to connect to these sites anyway).
1 - the server identifies itself by sending a certificate, which includes the server's public key
2 - the browser/client decides on a secret (symmetric) key to be used for the actual browsing part of the transaction (the second phase). It then encodes this using the public key sent by the server, and sends the result to the server
3 - the server decodes the new symmetric key using its own (the server's) private key
4 - Both the client and the server now know the secret symmetric key to be used for encryption.
So, basically, asymmetic keys (different public/secret keys) are used to decide on a symmetric key (one secret key) to be used for subsequent encryption. During the asymmetric phase, only the server's public key is used.