3rdKey for safety
You don't tell your secrets to a stranger, and you don't want to share your personal information with a strange server either. You recognise a person by seeing or hearing them, you can't verify a server quite so easily.
On the internet, we use certificates of authenticity to verify that the server we're talking to is, in fact, the one it claims to be. These certificates are each signed by a Certificate Authority. If we get a certificate that we don't already trust, then we check with the Certificate Authority that signed that certificate, to verify the signature. If we don't trust that Certificate Authority, then we check with the CA that signed its certificate, and so on, until we find one that we do trust.[1]
This is fine as long as we take the responses from the Certificate Authority as the final word. But often when a certificate is not confirmed, the browser shows a warning message and the user is allowed to continue anyway, trusting all the certificate(s) and authorities involved, from then on, always. And yes, that means that if the site used a fake certificate with a fake authority, our browser now will accept any fake certificate that uses that fake authority, as we've said that we trust that authority.
The only way to ensure that you are who you say you are, and not someone intercepting our conversation, is for us to ask you for a few characters from your authentication key (3rd key). And the only way for you to know that we are who we say we are, is that a verification phrase that you gave us will be shown to you when you put in the correct characters. Basically we encrypt one of your phrases using the characters from the 3rd key, then decipher it within your browser to show to you.
[1] - 'Server Authentication During SSL Handshake', Oracle
