Thread replies: 27
Thread images: 3
Thread images: 3
File: (((((((certs))))))).jpg (12KB, 593x115px) Image search:
[Google]
12KB, 593x115px
why is google allowed to verify itself
>>
>>62356690
probably because google trusts itself
>>
can't anyone do this?
>>
>>62356710
i dont
>>
https://twitter.com/errstr/status/883446170101657601
>>
>>62356729
dont trust anyone
not even yourself
>>
google is considered a trusted certificate authority by your browser/os
i don't see the potential issue here. in what way do you think the purpose of the certificate is impaired?
>>
>>62356765
what this guy said
The problem with identification is getting the certification to the client. Since we obviously can't supply a program with self-signed certs for every possible server, we use 3rd-party servers.
In other words, there's nothing wrong with self-signed certs, only with making sure they are who they say they are. SSH basically works with self-signed certs all the time.
>>
>>62356757
lost
>>
That's because if you trust Google you trust Google
>>
>>62356809
>SSH basically works with self-signed certs all the time.
Samefag here, I do know there are options like SSHFP records but they are not very widely used
>>
Google is a certificate authority. So whatever claim about identity of a website they make, your system believes it. It doesn't make a difference If google authority or some other authority claims that google.com is indeed owned by google company.
>>
>>62356929
another samefag, the problem is of course to get the authority certificate to the browser. this is managed by the browser or operating system. updates often add or remove authorities.
on windows you can run certmgr.msc to see the certificate authorities.
>>
>>62356729
You don't have to.
>>
>>62356765
That's not what it says. It doesn't say this browser trusts this website. It says google.com is trusted by google trust. It's entirely absurd. Don't try to rationalize how fucked up certs are.
>>
>>62357054
>It says google.com is trusted by google trust.
You're confused. If Google is a trusted CA by your browser, it doesn't make sense to require google's sites to be "trusted" (aka: certified) by someone else' CA. There's a short circuit in your reasoning but probably you can't see it since you're a brainlet.
>>
>>62357054
Certs are all about centralized authentication. You personally get to choose which CA you care for.
>>
>>62357054
>It says google.com is trusted by google trust. It's entirely absurd
Its not absurd at all. The question is if you system trusts the claims google trust makes or not. What difference would it make if another authority, e.g. Symantec, would guarantee the identity of google.com?
>>
>>62357116
>make my malware botnet
>release it on github
>make my malware website
>make it the homepage of my malware bot
>"Malware botnet certifies that malware homepage is safe"
Do you see how stupid that if you apply it to normal people and not Google.
>>
>>62357216
wouldnt work.
>>
File: ie7-certificate-not-trusted.png (30KB, 714x391px) Image search:
[Google]
30KB, 714x391px
>>62357216
you would get one of these messages
>>
>>62357216
normal people are not google and thus they are not CAs trusted by browser vendors, your reasoning is invalid.
>>
>>62357216
>if there's https on a page, then the content of the page is "safe"
>https = no virus
you're not that ignorant, are you?
>>
The DoD has the same thing.
DoD is a CA, so they can verify their own sites.
>>
>>62357216
it seems you don't understand what certs actually certify.
>>62357284
strictly speaking, one could use Let's Encrypt and certify whatever they want (without being a CA themselves, but being a CA doesn't mean jack shit)
>>
File: 1487588335495.jpg (105KB, 574x1147px) Image search:
[Google]
105KB, 574x1147px
>>62356751
>https://twitter.com/errstr/status/883446170101657601
jesus fucking christ.
>>
>>62356751
>>62357456
Lmao, nice
Thread posts: 27
Thread images: 3
Thread images: 3