Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

why do we trust SSL certificates?

Tags:

A friend of mine asked me why we pay so much for SSL certificates if everyone could theoretically issue one. Why indeed? And how do we judge if the little lock in the browser is really trustworthy?

like image 320
Manu Avatar asked Feb 25 '09 08:02

Manu


2 Answers

Certificates are cryptographically signed by something called a Certificate Authority(CA), and each browser has a list of CAs it implicitly trusts. These CAs are entities that have a set of cryptographic keys that can be used to sign any certificate, often for a fee. Any certificate signed by a CA in the trusted list will give a lock on a browser, because it's proven to be "trusted" and belongs to that domain.

You can self-sign a certificate, but the browser will warn you that the signer is not trusted, either by showing a big error box before allowing you in, or showing a broken lock icon.

In addition, even a trusted certificate will give an error if it's used for the wrong domain, or is modified to include another domain. This is ensured because the certificate includes the domains it is allowed to be used for, and it also has a cryptographic checksum/fingerprint that ensures its integrity.

This is not 100% safe at the moment, as there is the possibility to fake CA certificates that use MD5, see this link: http://www.phreedom.org/research/rogue-ca/. Though it has to be noted that this is pretty hard, as they exploited a weakness in an already existing CA, which may or may not have been closed by now.

In essence, we trust the certificates as much as we trust that our browser providers know how to select "proper" CAs. Those CAs are only trusted on virtue of their reputation, as a single misstep theoretically would be a very heavy blow on their trustworthiness if detected.

like image 151
Daniel Bruce Avatar answered Oct 13 '22 22:10

Daniel Bruce


The whole CA business is amazing. I've purchased a couple of certificates from rapidssl.com, and all the "proof" they required was:

  1. I could receive mail to the domain.
  2. I could answer my phone.

That was it. Keep in mind, when trusting the little locks in the browser.

like image 38
Joonas Pulakka Avatar answered Oct 13 '22 21:10

Joonas Pulakka