Basically, communication between the browser and server is encrypted and digitally signed. The signing certificate is issued by a trusted Certificate Authority, who does some checking before issuing the certificate (making sure the domain matches the requestor, perhaps getting an ink signature from a company officer). A number of Certificate Authorities ( Thawte, Verisign etc.) are trusted by the Web browser companies (Mozilla, Microsoft etc.), who have strict guidelines on procedures to be followed to gain such trust. The root certificates for these trusted CAs are then built-in to the browser.
(Unfortunately, in recent years the proliferation of chaining certificates and the occasional theft of commercial certificates has watered down these assurances - a regular certificate may not be issued by a trusted authority, but by some intermediate. "Green" Extended Validation certificates offer more assurance.)
A number of organizations, such as TRIUMF and Grid Canada, have set up their own Certificate Authority. If you trust these organizations, you may install a root certificate from them, and hence verify websites and services that they have signed.
Often, a developer will create a "self-signed certificate". These provide encryption (protection against eavesdropping) but provide no identify verification whatsoever. Newer browsers issue several warnings when these are used.