11
billgates
128d

How would you explain SSL, certificates, and CAs to a layman?

I just spent 30mins trying to explain it to them in a chat (related to Mpngo driver configs and the sslValidatrle flag), they sorta went silent on me so not sure if I explained it or understood the roles/purposes correctly...

One example I used was it prevents a man in the middle attack where your connection gets rerouted to another server. If the CA didn't recognize the cert the new server replies with then it rejects it and prevents the attack.

Comments
  • 0
    Using words like attack isn't very helpful with a layman
  • 1
    @ausername layman = team of devs that are talking SSL certs but I don't think they understand it correctly.

    They're like we're not talking about browsers we're talking about mongo connections and servers... And I'm going wtf is the difference?

    So I guess what I'm looking for is maybe "a non web dev can understand"
  • 3
    my example isnt the best but i will try:
    certificates are like envelopes with seals, you cant read a message without breaking the seal. you wouldnt send an wire transfer for your bank on an postcard. its the same principle with electronic transfers, we replaced the sealed envelope with certificates, the only difference is that certificates are better, because there are two keys, ine that can be shared with the world and one private that lies on the server. the clou is that you need only the public key to start the communication with the server.
    but how i know that a certificate for an site is real? every certificate can be signed. every browser has some public certificates saved which are trusted. when you open google, google sends a signed public certificate to the browser. the browser checks the signatures on the certificate and if any of those is trusted. if this test passed goigle can send your page.
  • 1
    @stop but all certificates are real. they are just a file that conforms to some technical spec.

    So CA just says "you trust us and based on the signature of the certificate, you can trust them?"

    I know SSH/server-server also needs SSL certs. The purpose of that is to just encrypt communications and establish that both machines know each other?

    CA is mostly for public service like a DNS? and I guess they're supposed to do their due diligence before issuing someone certificate?
  • 3
    You own a special kind of box that you have given to a friend of yours so that he can send you secret objects in it. This box has two keys, one that can "only lock it", and the other that can "only unlock it".

    The key that can "only unlock it" is your "private key" which is yours alone, is with you all the time and you never share it with anyone. The key that can "only lock it" is your "public key" that is always kept along with the box and can be shared with anyone.

    Now consider that you have already supplied your friend with enough number of such empty unlocked boxes beforehand along with your "public key". When your friend decides to send you something confidential, he places the package inside the box and locks it with your "public key" and sends it over to you.

    Since the box can only be opened with your "private key" no third party has access to the contents inside the box.

    In the digital world, this mechanism translates to what's called "encryption". SSL is one such method.
  • 0
    @oneinazillion13 thanks so this is the SSL part I understand. But where does the CA come in, in terms of verification?
  • 2
    @billgates Consider a scenario where you get pulled over for speeding and the police requests your license and registration to verify your personal info like age and ownership.

    The police puts a fair amount of trust on the info printed on your license and registration as it was released by a government authorized institution. It certifies you as the person you say you are.

    Certifying authorities in the digital world are such trusted sources of information who help you identify someone online.

    You approach a trusted CA to issue you an encrypted 'digital certificate' that cannot be replicated. It certifies you as the person or entity you say you are.

    Other online entities can now consult the CA to check the same.
  • 0
    TLS*
  • 1
    @oneinazillion13
    That is a great example of CA trust!
    Anyway, what of everyone could get a passport only because they said that their name is **** **** and that is enough? Would you trust it?
  • 2
    @Linux CAs offer you a way for identification. Whether or not you trust them is a matter of judgment on your part. It largely depends on your past experiences.

    Think of it this way, CAs can assure you that A is actually A and B is actually B. There cannot be more than one A or B. They are only concerned with how A and B communicate and not with what they communicate. And as I mentioned earlier, what you choose to communicate or disclose is your own problem.

    P.S : CAs just cannot exist unless people put a certain amount of trust in them.
Your Job Suck?
Get a Better Job
Add Comment