Why does a web server's public key certificate have to be signed by a certificate authority?

security https ssl-certificate encryption

The purpose of SSL when used with HTTP is not just to encrypt the traffic, but also to authenticate who the owner of the website is, and that someone's been willing to invest time and money into proving the authenticity and ownership of their domain.

It's like purchasing a relationship, not just encryption, and the relationship instils, or assumes, a certain level of trust.

That said, I asked a similar question a few months ago, and the basic answer that came back was "SSL is a bit of a scam"


Imagine a situation where you are to deliver $1,000,000 to a person named John Smith you have never met or communicated with. You are told you can meet him in a crowded public location. When you go to meet him you will need some way to be sure that he is actually the person you are looking for, and not some other random person claiming to be John Smith. You might ask for some government ID, a business card. You might ask a person you trust who has actually met the John Smith for help identifying him.

A self-signed certificate uniquely identifies a system, but it doesn't do anything to prove that the system is who it claims to be. I can easily self-sign a certificate and claim to be serverfault.com, google.com, or yourbank.com. Certificate Authorities basically act as a third party that is trusted by the client to verify a certificate is actually valid for the name the site claims to own.


The SSL business is indeed a bit of a scam. More than a bit, in fact, when you're paying about 20p per byte for some cryptographically-interesting data. What you're paying for is for whichever CA you use to sign your certificate with one of their private keys after proving to themselves that you are indeed entitled to use the domain/host name that the certificate is for. As Farseeker says, it's a trust relationship - the CA trusts you (after they've vetted you), the world's web browsers trust the CA (usually), and therefore the worlds web browsers will trust your cert. And don't get me started about Extended Validation...

Related

How can I record Linux commands?
Is adding the Debian repository to my apt source.list dangerous on Ubuntu? [closed]
Cron - How can I create a cronjob that runs every 15 seconds?
Is SSH Key Exchange more secure than password authentication?
How to block IP addresses in HAProxy?
Amazon EC2 bandwidth charges in case of unwanted incoming traffic(ddos/flood)?
Ping Equivalent For Checking If A Port Is Open
HP Smart Array; How to safely remove a physcial drive with SMART predictive failure from array so it can be replaced?
Managing SSH Connections
Bad Performance when SQL Server hits 99% Memory Usage
How do I reset default .bashrc (debian wheezy)? [closed]
Ganeti vs Proxmox [closed]