When you see https://, it means your traffic is encrypted. But how do two computers that have never met agree on a secret code that no one else can read?
1. The Client Hello
The browser sends a list of supported "Cipher Suites" and a random number to the server.
2. The Server Certificate
The server replies with its SSL Certificate. This certificate is signed by a Trusted Authority (like Let's Encrypt), proving the server is who it says it is.
3. Key Exchange
Using the server's public key, the client generates a "Pre-Master Secret". Only the server can decrypt this. From this secret, both sides derive the Session Key.
Once the handshake is over, all further data is encrypted with that secret session key, keeping your passwords and credit cards safe from sniffers.