It is said when you use ssl then you prevent a man in the middle from stealing information from the server to the client or vice verse. In my case stealing the jsonwebtoken. What i understand also from other answers is that ssl uses a private key and a public key. The private key is stored on the server and the public key is given out to the clients. You can encrypt information with the private key but you can't decrypt it with the private key for that you need the public key. Also you can encrypt information with the public key but you can't decrypt it with the public key therefore you need the private key.
How i currently look at it is when a server sends the public key to the client then a man in the middle is also able to get a copy of the public key and he will be able to decrypt information from the server to the client. Am i right on this or do i miss something. I understand the man in the middle can't decrypt information from the client to the server because he doesn't have the private key but if he already can decrypt the information from the server to the client then he is able to steal the jsonwebtoken which enables him to login on behalf of the client.
For me it would be more logic when a client has a private and a public key as well. The private key should be stored on his computer and the public key is send to the server. So the server encrypts information which is send to the client with the public key of the client instead of his own private key. The private key on the server is then used only to decrypt information from the client. In this case you would have a 2 way encryption and the man in the middle is not able to decrypt any information at all. But so far i understand it's not working this way.
Maybe i'm completely wrong or maybe i overlooked something. Hopefully someone can light some things up a bit because it's not 100% clear to me. Thanks in advance for your help.
