this post was submitted on 09 Aug 2023
48 points (96.2% liked)

Explain Like I'm Five

14263 readers
135 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 1 year ago
MODERATORS
 

For example, anyone could use Let's Encrypt to get a trusted certificate, so what makes this trustworthy? Or why not trust everyone that signs their own certificates with a program like OpenSSL?

you are viewing a single comment's thread
view the rest of the comments
[–] rarely@sh.itjust.works 6 points 1 year ago

Signed by whom? The CA.

The CA is the certificate authority.

You can create your own CA and sign your own certs for free, but people would need to have your CA root cert in their browser for them to be able to trust your signed certs.

Let's Encrypt is a real CA bundled with browsers, and it signs free cert signing requests when specific criteria is met. This is done because TLS is an important privacy mechanism that works best if many certs are in use and not just a few wildcard certs.

Why not trust self-signed certs? Because there are no checks. When miicrosoft.com (the people who make the miis on your wii) gets a free cert signing from Let's Encrypt, its because the owner of miicrosoft.com proved that they owned the domain miicrosoft.com by means of a lets encrypt / acme challenge. When you create your own CA and sign your own certs you are beholden to your own rules. You could sign a free cert for microsoft.com (the people who make minecraft) but then you would also need to convince users to install your CA, and then you can steal their blocks and grief their builds.