I am relatively new to the world of cryptography and was wanting to develop a webpage which allows credit card payments. Thus, I looked into the digicert ssl service, hoping that it could do what I want.
My question is, if an asymmetric encryption requires some form of exchange and protocol between the server and end-user, then is that not potentially a point of weakness? How does it, if it does, manage to tell each other what cipher and keys to use initially without someone listening in the middle during the handshake process knowing. Ultimately, does it even matter?
Scenario 1: A customer connects to the website. Is it possible that a hijacker poses as the server IP and intercepts the signal, before returning it again unchanged? He becomes a spy in the network...
Scenario 2: Assuming scenario 1 is possible or the electrical cable to the exchange from the customer's home has been compromised, the user computer will tell the server his capabilities and the server will return with a unique response, then the encryption begins. How is that initial process protected? It's sort of like typing a password but someone's watching over your back...
I'm pretty new to this, so this is my understanding. Please correct me at any stages and enlighten me with info.
Thanks in advance.
