HTTPS Certificate

Started by safracatz, Sep 07, 2022, 12:02 AM

Previous topic - Next topic

safracatzTopic starter

The need for a certificate for a website is not entirely clear if the hosting provider's server is somehow engaged in data encryption.
I can't figure out in any way what functionality the certificate itself adds and how it does it? If the hosting provider just wants to take some responsibility off himself, then this is still clear.
But how, for instance, can a web site owner who has received a certificate be responsible for all users posting content there?

But the main misunderstanding is that the protocol is provided directly by the hosting provider's server, and what role the site owner's certificate plays here is not clear at all.


There is no short explanation here. The HTTPS protocol requires that the client (i.e. the site visitor) and the server on which the web site is located (i.e. your hosting provider's server) have certificates that they must exchange when establishing a secure connection. Here your logic works. BUT: The point of a secure connection is not just to apply encryption.
It should be understood that encryption is required so that an attacker located somewhere on the connection path between the client and the server cannot read and/or change the data. Here, just encryption is no longer enough. Let's imagine that the connection does not require a certificate of a specific web site. Then the attacker will be able to answer the client that he actually is the server on which your site is located. In that case, the client will send data to the attacker, and he will pretend to be a client and interact with your real web site. Technically speaking, the attacker will act as an SSL/TLS terminator. Obviously, at the same time, an attacker will be able to read everything that the client sends to the server and back, as well as change this data.

It is in order to prevent such a scenario that the HTTPS protocol authenticates the certificate. To put it simply, that is done as follows. There are a number of unconditionally trusted certification authorities. You, as the site owner, must (often with the help of a web hosting provider) generate a certificate request and send it to such a center. The center will verify that you are indeed the owner of the site, and upon successful verification will issue you a certificate for your web site with its digital signature.
Your certificate is associated with a private key that is created simultaneously when creating a certificate request. You (your hosting provider) store that key on the server where your site is hosted and is connected accordingly in the configuration of the server. Without a private key, an attacker will not be able to use (assign to himself) the certificate of your web site.

When establishing a secure connection with the server, the client verifies that the certificate sent by the server is signed by one of the above-mentioned (and known to all standard browsers) certification authorities. If the digital signature is correct, the client's browser sends to the server the data encrypted using the public part of the key located in the body of the certificate.
Without a private key, an attacker will not be able to decrypt the client's request and, accordingly, will not be able to give a correct answer to it. Thus, it is guaranteed that the client will connect only to the right server.

Actually, in order for an attacker not to be able to generate a "fake" web site certificate himself, the direct participation of the site owner is required here. The certification authorities will sign only the certificate, the creator of which will be able to prove that he really owns the web site. In this case, it's you.

Sometimes the hosting provider can do it all by himself - if you registered a domain through that web hosting provider and use his domain name servers. Otherwise, we cannot do without your participation. If you think about it, it makes sense. Imagine that an attacker gets access to one of the hosting providers (not necessarily yours). Then what will prevent him from getting a digital signature from the certification authority if the center does not try to verify the ownership of the web site?

Я И Бал Крассавиц

Hello! The owner of the site, in no case has anything to do with the consumers of the site, since each person is responsible for himself!) And in addition, I would like to say that you asked a good question!)


An SSL certificate is needed so that fraudsters cannot intercept the personal data that users enter on your website.
Personal data is logins and passwords from accounts, bank card numbers, email addresses, etc. This means that an SSL certificate is useful on the websites of banks, payment systems, corporations, online stores, social networks, state-owned enterprises, online forums, etc.

SSL certificate is beneficial for the site owner: this way you will confirm that it is safe to enter personal data on the site and take care of customers.
If a person is worried that confidential information will fall into the wrong hands, he will receive additional guarantees. Less risk for users, higher reputation of the company.
If the site has an SSL certificate, a secure connection is established between the client's browser and the site. In this case, the browser first converts the card number into a random set of characters and only then sends it to the server.
You can decrypt the message only with a special key that is stored on web server. If the scammers intercept the information, they will not understand what it means.