this post was submitted on 09 Aug 2023
49 points (96.2% liked)

Explain Like I'm Five

14299 readers
1 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 1 year ago
MODERATORS
 

For example, anyone could use Let's Encrypt to get a trusted certificate, so what makes this trustworthy? Or why not trust everyone that signs their own certificates with a program like OpenSSL?

you are viewing a single comment's thread
view the rest of the comments
[–] Rednax@lemmy.world 10 points 1 year ago

Q. If you connect to google.com, how do you know you are talking to google.com, and not bing.com? A. You find the CA of the certificate that google.com send you, and you ask that CA if the certificate is valid.

Q. How do you know that the CA is actually the CA, and not some fake actor? A. You find the CA of the CA, and ask it to validate the certificate of the CA.

Q. How do you know that the CA of the CA is actually the CA of the CA? A. After several layers of this recursion, there is a hardcoded set of trusted certificates on your PC.

If someone self-signs a certificate, then this chain of questions ends well before you end up with a hardcoded (and thus trusted) certificate.

Let's encrypt verifies that a certificate is created from a specific domain. Therefor it can tell is whether the cert belongs to a domain with certainty.