So this video explains how https works. What I don’t get is what if a hacker in the middle pretended to be the server and provided me with the box and the public key. wouldn’t he be able to decrypt the message with his private key? I’m not a tech expert, but just curious and trying to learn.

  • Nightwatch Admin
    link
    fedilink
    English
    arrow-up
    16
    ·
    6 months ago

    It is indeed true that some CAs have seriously misbehaved; however, browser builders are rather strict on the presence of the CAs they trust. Misbehaving or even simple errors are reasons for getting kicked out, after which certificates signed by those CAs are now no longer valid.

    • mox@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      6 months ago

      Misbehaving or even simple errors are reasons for getting kicked out,

      That can be helpful if a transgression is noticed, and it’s not orchestrated by a higher authority (e.g. government), and the damage isn’t already done.

      browser builders are rather strict on the presence of the CAs they trust.

      Of course, browser builders are vulnerable to influence, attack, accidents, questionable judgment, and blind spots just as certificate authorities are.

    • lily33@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      6 months ago

      I’m somewhat skeptical. What if LetsEncrypt decided to misbehave tomorrow? Would the browsers have the guts to shut it down and break all sites using it?

      • Nightwatch Admin
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        6 months ago

        Yes, they will. We’ve seen it before in mostly less serious cases: Diginotar, Türktrust, Symantec, etc. As brittle as the CA system can be, when there is real enough trouble, CAs do get revoked.

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 months ago

        Not the browser companies. The parent CA would revoke Let’s Encrypt’s certs and publish that revocation in the certificate revocation list. When the browser (software, running on your system) downloads the new CRL, they will automatically stop trusting LE.