1. It is a HTTP connection protected by SSL/TLS connection 2. The certificates used by server will be verified by client with pre-loaded CA. 3. (Unable to answer at that moment, this answer was made after I read the SSL handshake process from Wikipedia) The client side would use the received public-key to encrypt a message and send to the server, so the server can verify the message with its own private key, it is a use-case of asymmetric cryptography. I am quite sure their engineer knows how to dig deeper about the SSL processes so it is fine to left some answers here. Like in traditional TLS, there would be a process of exchanging a shared key (symmetric cryptography) which will be agreed by both client and server side so the question would be expanded in various way, you need to tell the importanceness of each step with your own presentation.