Comments by "zixuan zhao" (@zixuanzhao6043) on "SSL, TLS, HTTPS Explained" video.

  1. DH alone is prone to man-in-the middle attack. So the certification verification is vitally important which the video doesn't cover much. Basically the server send a signature which is some private-key encrypted digestion of server identity information. The client then verify the public key through chain-of-trust by layers of authorities that issue certifications (system root authority is trusted unconditionally unless your local system is messed up). Using the verified public key the client decrypt the signature and compare the result to the digest generated through the negotiated digest/hash algorithm. If everything checks out, the server identity is trusted because only the private key owner is able to generate that signature.
    2