I was working on an HTTPS issue today, and Ryan came to talk to me. While he
was watching, I figured out what was causing the problem, which was related to the
SSL handshake. Ryan asked about the handshake, and I tried to give him a
laymans-terms overview of what it was. Before I started, I started to picture in
my head what the conversation might be like:
Me: When an SSL connection is made…
Ryan: What’s SSL?
Me: When you want a connection to be encrypted…
Ryan: What’s “encrypted” mean?
Me: When two processes are talking…
Ryan: What’s a “process”?
Here’s how I described it:
Me: If I want to send a message to another computer, I write the message
on a kind of postcard, with the address of the other computer on it, and then I
send it. The postcard goes out, sometimes on a wire, in this case through the
Ryan: Like radio waves?
Me: Exactly. Then the other computer receives the postcard, checks the
address, and figures that the postcard is for him. Then he reads the message.
But, if there’s another computer nearby, it can look at the postcard too,
even though it’s got someone else’s address on it. So if I want to send a
secret message to a computer that’s my friend, I don’t want that other computer to be able to read it.
So, I take the data on the postcard, and mush* it all up, and change it, and make it look funny. My friend knows that it’s mushed up, and
it un-mushes it and gets the original secret message out. But the other computer
doesn’t know this, so it looks at the message and says “Huh? What’s that
Me: When we first start talking, I tell my friend “Hey, I’m going to mush
up this data, and here’s how I’m going to do it.” and I give him some stuff that
allows him to un-mush the message — that’s called the “handshake”.
Ryan: Like this?
Me: Yes, just like that. It’s a way that two computers say “hello, I’m
going to send you some mushed data, here’s how to un-mush it”.
Ryan: That’s cool.
* – Important note: Note that “mush” as used here rhymes with “bush” or “push”, not “hush”.
Then I gave him some examples of why you’d want to do this — when I order
a book from amazon.com (I thought of this because I pre-ordered the 7th Harry
Potter book today), I give them my credit card number. I don’t want someone else
to figure out my credit card number, or they might go to amazon.com and say “Hi
amazon.com, it’s me, Graeme. I’d like to buy 500 books and charge it to this
credit card”, and he gets the books, and I have to pay for it.
Ryan has a fairly limited sense of the value of money, but he gasped at this,
obviously realizing that this would be a Bad Thing. Either that, or I just gave
him a brilliant idea for how to get free stuff, and started him on his way to
being a career criminal. Heh heh heh… oops.