For example, anyone could use Let’s Encrypt to get a trusted certificate, so what makes this trustworthy? Or why not trust everyone that signs their own certificates with a program like OpenSSL?

  • Monkey With A Shell
    link
    fedilink
    English
    21 year ago

    If you look in the certificate store of your browser there are a number of issuing authorities that the browser will treat as valid source-of-truth providers for SSL certs. If a certificate doesn’t come from one of those, or is expired, or revoked the browser will throw up an alert to let the user know of the problem. Let’s Encrypt is a group created to issue these certs in an automated fashion just like the traditional CAs. Really it’s just a matter of which CAs are acceptable. Some organizations will remove trust for certain entities (Symantec for a while had removed the US Gov from the trusted issuers bundle for their Bluecoat proxies) if they deem an authority as suspect or potentially compromised. There wad also an incident several years ago where a major issuer had sent out an intermediate CA pair that a buisines ended up putting on a proxy that routed a big chunk of public traffic through effectively breaking the user’s encryption. That CA got banished from the common browsers shortly after.