-2

I honestly really don't understand why we need SSL certificates. Yeah, this is a dumb question, but just bear with me...

First of all, isn't a certificate just to verify you are reaching the right URL? I thought a URL is unique, why don't you just look at the URL to make sure you are visiting google.com instead of gogle.com

Secondly, what do CA's check when they issuing certificates?

Hope someone can clear these questions up.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
user3489985
  • 133
  • 3
  • Possible duplicate of [How does SSL/TLS work](https://security.stackexchange.com/q/20803/5405). Also, certificates protect against a man-in-the-middle (MITM) attack. – S.L. Barth Jun 29 '17 at 07:12
  • 4
    This lacks the most basic research and confirmation of assumptions. – schroeder Jun 29 '17 at 07:16
  • 2
    Taffic can be rerouted, a URL is no guarante that you were accessing the intended resource. – HansMusterWhatElse Jun 29 '17 at 07:18
  • 2
    Both google.com and gogle.com can have valid certificates. So certificates do not protect against typosquatting. – Eelke Jun 29 '17 at 07:18
  • 2
    I think you need to do some very basic research before posting questions like this. This forum has thousands of great posts explaining all the concepts and why they are needed. There are search engines as well that offer a great facility in returning content based on an inputted question - Google is one – ISMSDEV Jun 29 '17 at 07:42

1 Answers1

1

Why do we need SSL certificates?

The server certificate is checked by the client to make sure that it talks to the expected server and not to some man in the middle. That's why the certificate must be valid (not expired, not revoked), must be signed by a CA the client trusts and must be issued for the site the client visits, i.e. subject(s) (which includes subject alternative names) must match the domain from the URL.

what do CA's check when they issuing certificates?

When someone requests a certificate from a CA the CA must check that this person is actually owner of the domain. There are various methods to do this: some send a mail to specific addresses in the domain, some expect the claimed owner of the domain to provide a specific file with a content specified by the CA at a specific position at the domains web site. And for EV certificates the company has to send in various paperwork too.

Additionally some CA check that that the domain is not something which will probably get used for phishing, i.e. containing references to Paypal or similar. For much more detailed information look at the various documents which can be found at the CA/Browser Forum.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Why a man in the middle can't get the original certificate of the server and redirect it to us? Does it have any parameter or part which ensures that we are getting this certificate from the original server? I mean everybody can get this certificate once and uses it as many time as he/she wants(Even if it has a timestamp in it the MITM can get the certificate every time from the server and redirect it) – Kamran Hosseini Nov 24 '19 at 15:56
  • 1
    @K47: please don't ask a mostly unrelated question in a comment. Also, the magic thing which prevents a MITM to simply reuse the servers certificate is that only the original server has the private key. For more see [Does https prevent man in the middle attacks by proxy server?](https://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server). – Steffen Ullrich Nov 24 '19 at 16:36