I have been trying to understand the working of SSL. I know that any https website has a digital certificate with it. So when the client requests something from the server, the server sends with certificate which is signed by some CAs. Since the client trusts the CAs, it will also trust the server.
My question is how is this trust is performed? Given that anyone can create public/private key pair and get it signed. Please clarify.
The important bit of information is that the certificate references the website. All the certificate is supposed to do is to enable encryption between the client and the destination: naming the website means that the connection can be trusted.
If you are asking if you can trust the website, then that is not what certificates or CAs are for. Certificates do not indicate that the server is in any way trustworthy.
Your browser is set up to trust certain CAs. When you go to www.facebook.com, you get the certificate of www.facebook.com, your browser verifies if the certificate is really issued for www.facebook.com, and it also verifies if it is issued by a CA that it (you browser) trusts.
I cannot get an certificate issued for www.facebook.com by well known/trusted CAs and that means I cannot pretend that I am www.facebook.com. If I take the certificate that www.facebook.com sends to me, and forward to someone else, pretending that I am www.facebook.com (by also doing some dns spoofing), I run into a problem because the victim is using the certificate/public key of facebook to encrypt data, and I will not be able to decrypt it because I do not have the private key for www.facebook.com.
