Disclaimer:- I am not a cybersecurity or computer science student. I am just curious about this scenario and couldn't find/understand how the methods used ensure the safety of the connection are effective.
For example, let's say I am an ISP and I have 2 clients; one being the visitor of a website and the other being the servers of the website. I am connecting these two parties connected and all the data transferred between them go through me. What I understand is that websites use asymmetric encryption to make sure data is not seen by third parties.
What I don't understand is despite whatever the encryption used, we have to let the website user and the website know how to decode the data they transferred between them. The instruction or key used for decryption must be in agreement with each other and must be shared between the website and the visitor using any method, but whatever the method they use, everything goes through the ISP. So, if ISP eavesdropped on every request made by each other why can't it figure out their encryption key?
In other words, in the beginning, no one knew anything. In the end, the visitor and website know an agreed encryption/decryption method. ISP was the messenger who transferred all the information between them to make that happen. The information ISP helped to share between each other was also visible to him. The information sent can't be anything that is unintelligible because then website and the visitor can never figure out anything between each other because they didn't know anything about each other to begin with.
So, how do modern web services make sure the data of their clients are kept confidential over the network connections, and why can't I, the ISP, figure out what data they send between each other?
