Security for Beginners
by Sergey Okinchuk
HTTP vs HTTPS and the PadlockWhat HTTPS Does and Doesn't Protect
Topic 22

Certificates and Who You Trust

Concept

Encryption stops eavesdropping, but it quietly creates a new problem. When Olivia's browser sets up a private, encrypted link to "her bank," how does it actually know it is talking to the real bank — and not an impostor who slipped in between her and the bank and is now happily encrypting a conversation with her?

Encrypting a conversation with the wrong party is no help at all. So before any of that encryption is worth anything, the site has to prove it is who it claims to be. The tool for that proof is a certificate — a signed document that vouches for a site's identity — backed by a chain of trust we will walk through here.

Here is a useful comparison: a passport. You trust a stranger's passport not because you personally know them, but because a government you already trust issued it and stamped it in a way that is hard to forge. A certificate works the same way, and the rest of this page is really about who does that "stamping" on the web.

The chain of trust behind a site's certificate
Trusted root CA
a Certificate Authority your device already trusts
signs
an intermediate CA — a working CA the root vouches for
which signs
the site's certificate — its name plus its public key
presented to your browser
which accepts the site is who it says it is

Why Encryption Alone Isn't Enough

Imagine Olivia types in her bank's address and her browser opens an encrypted connection. Encryption guarantees that whatever she sends can't be read by onlookers along the way. But it says nothing about who is on the other end.

If an attacker managed to sit in the middle and answer in the bank's place, Olivia would be sending her password — perfectly encrypted — straight to the impostor. The lock on the conversation is only as good as your confidence about who holds the other key. So encryption needs a partner: a way to prove the server really is the bank.

What Is a Certificate?

A certificate is a small signed document a website presents to your browser. It ties together two things: the site's name (for example, the bank's web address) and the site's public key — the public half of the key pair the site uses to set up encryption.

On its own, a document claiming "I am the bank" would prove nothing — anyone could write that. What makes a certificate believable is the signature on it. The certificate is digitally signed by a Certificate Authority (CA) — an organization whose job is to check identities and vouch for them. A digital signature, from the earlier topic, is the hard-to-forge stamp: it lets your browser confirm the certificate really came from that CA and hasn't been altered.

That is the passport mapped onto the real thing: the site is the traveler, the certificate is the passport, and the CA is the issuing government whose stamp you already trust. From here on we will just say certificate and CA.

The Chain of Trust

So why does your browser trust a CA in the first place? Because the trust is built in ahead of time. Your browser and your device come with a list of CAs they are willing to trust — a list curated by the people who make the browser and the operating system.

When Olivia connects to her bank, the bank's server hands over its certificate. Her browser checks: was this certificate signed by one of the CAs on my trusted list? If yes, the browser accepts that the site is who it claims to be, and the encrypted session goes ahead. (It also checks that the certificate was issued for this exact site name and has not expired — a valid certificate for one site can't be reused to impersonate another.) If the signature is missing, broken, or comes from a CA the browser doesn't recognize, the browser warns her instead.

This is what people mean by a chain of trust: you trust the site because a CA vouched for it, and you trust the CA because it was already on your device's list. Your browser is not personally inspecting the bank — it is checking that a trusted authority signed off on it.

The Weak-but-Necessary Part

This whole arrangement rests on one assumption: that CAs do their job honestly and carefully. A CA is supposed to confirm that whoever asks for a certificate for "the bank" actually controls the bank's web address before signing anything.

Most of the time this works, which is why the web's identity checks are quietly reliable. But it is also the soft spot. If a CA is tricked, careless, or compromised and signs a certificate for a site it shouldn't have, browsers will trust that bad certificate — because trusting CAs is exactly what they are built to do. When a CA fails, real problems follow, and you will sometimes see such failures in the news. The full machinery of how those are detected and undone is deep-dive territory; for now the point is just that the system's strength and its weak spot are the same thing: delegated trust.

Common Confusions
  • "A certificate means the company is honest." A certificate proves the site is who it says it is, and provides the public key the browser uses to set up the encrypted connection. It says nothing about whether the business behind the site is trustworthy or its products are good.
  • "My browser personally checks each website." Your browser doesn't investigate the site itself. It checks whether a CA it already trusts vouched for the site — the trust is delegated to those authorities.
  • "Anyone can issue a certificate for any site." Only a CA your device trusts produces a certificate the browser will accept, and a CA is supposed to verify that the requester actually controls the web address first.
Why It Matters
  • Certificates are how the web stops you from being silently connected to an impostor pretending to be a site you trust.
  • They reveal that trust on the internet is delegated to a set of authorities — useful background for later news about a CA being tricked or compromised.
  • They draw a clean line between "this connection is private and goes to the named site" and "this site is run by good people" — the first is what a certificate proves, the second it cannot.

Knowledge Check

What does a website's certificate actually prove to your browser?

  • That the site is who it says it is and the connection is encrypted
  • That the business behind the site is honest and well run
  • That the site has no security flaws and loads quickly
  • That everything written on the site has been independently fact-checked for accuracy

When your browser receives a certificate, how does it decide whether to trust it?

  • It checks whether a trusted CA signed the certificate
  • It personally researches the company that runs the website
  • It trusts any site that lots of other people visit
  • It accepts any certificate the site chooses to present

Why is the system of Certificate Authorities described as both reliable and a weak spot?

  • Everything rests on CAs doing their job well, so a CA failure breaks the trust
  • Because certificates stop working again every single day
  • Because the encryption itself is easy for anyone to break
  • Because browsers do not keep any record of which authorities to trust and have no way to check

You got correct