this post was submitted on 09 Aug 2023
48 points (96.2% liked)

Explain Like I'm Five

14243 readers
29 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 1 year ago
MODERATORS
 

For example, anyone could use Let's Encrypt to get a trusted certificate, so what makes this trustworthy? Or why not trust everyone that signs their own certificates with a program like OpenSSL?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 31 points 1 year ago* (last edited 1 year ago)

Because of the man in the middle attack.

A self signed certificate could be a fake certificate created to trick you. Let's Encrypt checks the domain name to make sure the certificate is owned by the domain name at least.

For example, if your Dad decides to run a man in the middle attack with the router to check if you are looking at porn, your Dad only has to issue self signed certificates. When you visit a webpage, he can program the local router to send you to his computer before going to the internet.

Kids Computer -> Dad's computer -> Real Website.

Dad's computer will make a self signed cert to interact with your computer, while decrypting the data from the real website. It then reencrypts the data with a self signed cert, that you suddenly decided to accept.

Now your dad / company you are working for knows you are browsing Porn and fires you. This may or may not have been inspired by real life events.

Except it turns out that it was the Bosses / Grandparents who were browsing Porn so nothing happened.


Anyway, Dad's computer on this network setup cannot get a Let's Encrypt certificate. The Sysadmins will go around to everyone's computer or use Windows Group Policy to force the computers of the organization to trust a CA under control of the Sysadmins to get this man in the middle working.