Posted Jan 6, 2011 12:38 UTC (Thu) by erwbgy
In reply to: Default "secrets"
Parent article: Default "secrets"
Perhaps I misunderstand SSL, but I thought that the certificate was only useful to ensure the identity, not to encrypt the session. I mean each session has randomised session keys not based on the private key.
The public and private keys are used when exchanging the session key, so if you have access to the private key then you will be able to find out the session key and decrypt the traffic.
The Wikipedia TLS page explains this well:
In order to generate the session keys used for the secure connection, the client encrypts a random number with the server's public key and sends the result to the server. Only the server should be able to decrypt it, with its private key.
to post comments)