Why I need a SSL certificate?

Question

I have a short question: why do I need a SSL certificate (I mean only the certificate not the SSL connection)?

In my case Google Chrome deteced, that the connection is encrypted and secure, but everything is red because I created the certificate by myself. Why I need a SSL certificate, if the connection is secure?

Answer 1

Just because traffic to 192.168.xxx.xxx doesn't leave the boundary of your network doesn't mean that it's safe.

Especially if you have BYODs attached to the network (and even if not, you don't want to be a hard shell with a juicy interior), someone can bring a compromised laptop or phone, attach it to the network, and a virus can intercept everything going on the network (see firesheep).

So you have to assume that the network is malicious - treat your LAN as if it were the internet.

So now the question goes back - why can't I rely on a self-signed certificate (both on a local network as well as the internet)?

Well, what are you protecting against? TLS (SSL) protects against two things:

1. Interception - even if I MITM you (I become your router), I can't read what you're sending and receiving (so I can't read your Credit Card numbers or password)

2. Spoofing - I can't inject code between you and the server.

So how does it work?

I connect to the server and get a certificate signed by a CA. This CA is considered trusted by the browser (they have to go through all kinds of audits to get that trust, and they get evicted if they break it). They verify that you control the server and then sign your public key.

So when the client gets the signed public key from the server, he knows he's going to encrypt a message that only the destination server can decrypt, as the MITM wouldn't be able to substitute his own public key for the server's (his public key wouldn't be signed by a CA).

Now you can communicate securely with the server.

What would happen if the browser would accept any SSL cert (self signed)?

Remember how the browser can tell the official cert from a fake MITM cert? By being signed by a CA. If there's no CA, there's literally no way for the browser to know if it's talking to the official server or a MITM.

So self-signed certs are a big no-no.

What you can do, though, is you can generate a cert and make it a "root" cert (practically, start your own CA for your internal computers). You can then load it into your browsers CA store and you'll be able to communicate through SSL without having to go through something like letsencrypt (which, by the way, is how enterprise network monitoring tools work).

Answer 2

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 standard.

(from https://en.wikipedia.org/wiki/Certificate_authority)

You are not a trusted CA. Basically, if you sign your own certificate then there is no one that is able to vouch that the server is truly what it is. If you had a valid, trusted third party vouch for you then the certificate would be "valid."

Having a self-signed certificate doesn't necessarily mean that the website is dangerous, its just that the identity of the server can't be verified and thus it is more risky for the vistor.