Nina: Hey Andy, can you answer this question about SSL?
Andy: Shoot it. I know what SSL does.
Nina: Which of these does SSL use?
Andy: That's simple. It uses Asymmetric Encryption.
Andy: I am pretty sure. I can explain you how it works.
Nina: What you said is partially correct. Let's see who has what keys.
Nina: So how can we establish a 2 way connection using just one private key? How will the server send encrypted information back to client? There is no way the client can decrypt data.
Andy: I get it now. But I remember reading it as asymmetric encryption. Okay, so the answer is Symmetric Encryption.
Nina: Not Really!! How will the client and server agree on a single key without the middle-person (bad guy) knowing it? (Note: At this point if you are wondering how the bad guy got in the middle, then you need to read about Man-In-The-Middle attacks. One important purpose of SSL is to avoid these attacks)
Andy: So client and server need to agree on a symmetric key, but they need to do so in a secret way without the middle-person knowing it. How's that done?
Nina: Let me explain
Andy: That's quite nice, I didn't know it. Actually, that means asymmetric encryption is only used during initial connection setup phase and later on it's all symmetric encryption.
Nina: That's right!
Important note: Details of the actual SSL handshake are ignored here. Purpose of this article is not to explain the absolute technical details but to explain how a two-way encrypted connection is made by initially using an one-way encrypted connection. Details such as pre-master key generation, master key generation, etc are ignored. Further reading: one, two, three.
I decided to write this after I found out that quite a few developers did not pay attention to the details of SSL. Honestly, it may not be important as well, in most cases developers use 3rd party library.
Ask your colleagues and find out if they know about it.
When you ask them which mechanism SSL uses: if they say asymmetric, ask them how a 2-way communication is established. If they say it's symmetric encryption, ask them how can the key be exchanged without middle-person (bad guy) stealing the key.
Discussion on lobster. Let me know what % of your friends/colleagues are right about the details.