this post was submitted on 09 Aug 2023
11 points (100.0% liked)

Explain Like I'm Five

14284 readers
1 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 1 year ago
MODERATORS
 

For example, anyone could use Let's Encrypt to get a trusted certificate, so what makes this trustworthy? Or why not trust everyone that signs their own certificates with a program like OpenSSL?

top 7 comments
sorted by: hot top controversial new old
[–] Rednax@lemmy.world 9 points 1 year ago

Q. If you connect to google.com, how do you know you are talking to google.com, and not bing.com? A. You find the CA of the certificate that google.com send you, and you ask that CA if the certificate is valid.

Q. How do you know that the CA is actually the CA, and not some fake actor? A. You find the CA of the CA, and ask it to validate the certificate of the CA.

Q. How do you know that the CA of the CA is actually the CA of the CA? A. After several layers of this recursion, there is a hardcoded set of trusted certificates on your PC.

If someone self-signs a certificate, then this chain of questions ends well before you end up with a hardcoded (and thus trusted) certificate.

Let's encrypt verifies that a certificate is created from a specific domain. Therefor it can tell is whether the cert belongs to a domain with certainty.

[–] ryeonwheat@lemmy.ml 5 points 1 year ago

There's some great answers already here, but I want to add a detail fir some context. Like others mentioned, Let's Encrypt does just the bare minimum of verification. They aren't really verifying that you are who you say you are, they are verifying you control the website. The reason is due to their goal.

They want as many people as possible using a secure Web protocol, and that requires as many people as possible have a certificate for any websites they run. There is minimal verification of identity, but the benefit of encrypted communications and even that bare minimum id is a huge step up in consumer security from old unprotected protocols.

[–] Jeeva@feddit.uk 4 points 1 year ago

On top of the other points raised here, it's worth noting that LetsEncrypt is relatively new and until recently had another company higher in the signing chain so that they could provide their certificates without folk having issues with their local cert store.

[–] Skelectus@suppo.fi 2 points 1 year ago

It's less about the trustworthiness of the site and more about confirming the site's identity. Maybe the original is a scam site, but at least you know it's the original.

[–] ShellMonkey@lemmy.socdojo.com 1 points 1 year ago

If you look in the certificate store of your browser there are a number of issuing authorities that the browser will treat as valid source-of-truth providers for SSL certs. If a certificate doesn't come from one of those, or is expired, or revoked the browser will throw up an alert to let the user know of the problem. Let's Encrypt is a group created to issue these certs in an automated fashion just like the traditional CAs. Really it's just a matter of which CAs are acceptable. Some organizations will remove trust for certain entities (Symantec for a while had removed the US Gov from the trusted issuers bundle for their Bluecoat proxies) if they deem an authority as suspect or potentially compromised. There wad also an incident several years ago where a major issuer had sent out an intermediate CA pair that a buisines ended up putting on a proxy that routed a big chunk of public traffic through effectively breaking the user's encryption. That CA got banished from the common browsers shortly after.

[–] rarely@sh.itjust.works 1 points 1 year ago

Signed by whom? The CA.

The CA is the certificate authority.

You can create your own CA and sign your own certs for free, but people would need to have your CA root cert in their browser for them to be able to trust your signed certs.

Let's Encrypt is a real CA bundled with browsers, and it signs free cert signing requests when specific criteria is met. This is done because TLS is an important privacy mechanism that works best if many certs are in use and not just a few wildcard certs.

Why not trust self-signed certs? Because there are no checks. When miicrosoft.com (the people who make the miis on your wii) gets a free cert signing from Let's Encrypt, its because the owner of miicrosoft.com proved that they owned the domain miicrosoft.com by means of a lets encrypt / acme challenge. When you create your own CA and sign your own certs you are beholden to your own rules. You could sign a free cert for microsoft.com (the people who make minecraft) but then you would also need to convince users to install your CA, and then you can steal their blocks and grief their builds.

You still have to provide some proof that you are who you say you are by publishing a specific webpage on the site that will get the certificate or by publishing a specific DNS record on the domain. Self-signed certs don't have that requirement so people could make certs for google.com if they wanted to.