So... there one root certificate (installed in all devices worldwide) for each CA, right?? What if a new CA needs to be introduced? Or how is it?

​@@cicher I don't know why my previous comment got deleted.... However... There is not one rootCA for each CA specificly, one rootCA may sign multiple CAs. The rootCAs are pre-installed on your OS and on Android you can view them in Settings > Security > More security settings > View security certificates; on Windows just run certlm.msc and navigate to Trusted root certificate authorities. When a new CA (not rootCA) is introduced it can be signed by a rootCA or another trusted CA, which is signed by a rootCA or another CA, which is signed by a rootCA or another CA, which is signed by a rootCA or another CA.......etc., which is signed by a rootCA. You can check the certificate path in your browser (click/tap on the lock icon and click/tap "Connection is secure" and (Android: Google Chrome) tap Certificate information (the you can see the path in the drop down menu at the top) or (Windows: Chromium Edge/Chrome) click the certificate icon and tab to certificate path). When a new rootCA is introduced worldwide the owner of the rootCA pays $ to the OS developers for including the rootCA in the next update. And this is why (except for Let's Encrypt e.g.) SSL cerfiticates usually costs something and because the CA checks the identity of requestors and enforces the policies given by the CA. However, often if you buy a domain, in my case, from IONOS.de a signed SSL cerfiticate for your domain and subdomains is included in the price tag (as well as an email-service). Instead of doing that you can create your own rootCA and install it on your devices, but of course this rootCA wont't be deployed worldwide or at least it's very unlikly if the you are not a major OS developer such as Microsoft, Google, Apple or Linux Foundation. Also on Android Deviced without root you will see the a warning "The network may be observed". And that could be true, because there could be a man-in-the middle attack. In a enterprise environment a proxy filter which is capable of https is exactly the same. The actual website has a encrypted connection to the proxy. The proxy decryptes the https to http, filters/alters the unencrypted data, encryptes back to https with it's own certificate, which is signed by a rootCA, which the company or a hacker installed on the client previously. On Android the rootCAs, which are pre-installed by the developer, and the addicional rootCAs, which are installed by the user, are in a seperate directories. To copy user rootCAs to the same directory as where the pre-installed rootCAs are stored, you need root-access to do so.

Ahhhhh! Thank you! You can create your own rootCA. Most of the explanation with SSL explains how it functions on public facing websites. I think creating your own rootCA is how you can use SSL in your own private network? This is what I’ve been wondering.

Wow, thank you! glad I could help

I was going to mock your comment because in every video there's a comment saying exactly what you did. After watching the video, yes this is the best explanation by far 😀😀😀

kinda cringy lol

Exploited89 thanks!! Am soo grateful To have 30k couldnt ask for more awesome subs

Trying to get better still! Haha thanks though

@@hnasr who is this dangerous hacker, Karen, btw?

❤️❤️❤️

Or am I totally wrong here?

Glad it was helpful Magomed!

jain kapil thank you Jain! Great idea

❤️

Correct , without certificate there is no way we know that someone in the middle has intercepted the traffic

* Client connects to web server * Web server responds with its certificate full chain * client verifies the certificate chain locally up until the ROOT cert which should exists in the machine/cert store. (Client doesn’t need to contact CA for that) That is the happy path, there is however a case which a certificate isnt expired but has been revoked (eg private key leaked) in that case one solution was CRL (certificate revocation list) a list of all revoked certs, that was bad because the list grow very large and hard to maintain... So they came up with OCSP (online certificate status protocol ) which the client must ask the CA to see if a certificate is still valid and not revoked. That is when the client connects to CA. Obviously people didn’t like that because you are leaking the sites you are visiting to the CA.. The other better approach is OCSP stapling which let the server asynchronously ask the CA on the backend and staple and sign the certificate with date proving that it hasn’t been revoked.. So in a nutshell nowadays you only connect to webserver but depends on the revocation protocol you might connect to the CA

@@hnasr thanks! that mostly makes sense except step 3. i am really confused about what the client is able to do in order to validate the full certificate chain is authentic. is it built into the browser? so when i install chrome for example that comes along with the ability to validate certificate chains? also, locally... root... any chances of a video on all of this part? or is it already on this video and its just all over my head yes that is more likely

@@DrHoops21 I asked ChatGPT how does Chrome browser validates a Certificate Authority. And here is the response. "When you visit a secure website, the server presents its SSL certificate to your browser. Chrome checks if the certificate is issued by a trusted CA. It does this by looking at the certificate chain, where the website's certificate is signed by an intermediate CA, and the intermediate CA is ultimately signed by a root CA. The root CA's certificate is stored in the browser's trust store."

Root CA is where the chain ends, and its public key is stored/hard coded in the browsers or in your device by the device's manufacturer.

Good question, during the certificate creation the server establishes a secure connection with the CA first during which CA sends its certificate to the server. The server will securely send its public key in that secure connection so no one can intercept it. If someone tries to intercept they need to prove that they are the CA by providing the CA cert which is not possible

Private public key is asymmetrical, using the same key to encrypt / decrypt is symmetrical. This might help kzbin.info/www/bejne/kGSpqJyuqKd4b5Y

Correct, most of the time those certs are preloaded with the OS cert store. Recently browsers are also coming up with their own cert store too

@@hnasr Okz thanks Hussein.. Actually we have a custom cloud application which calls a web server.. and we are making Api callouts, from code, not from browser. So it should be the same concept for that as well..right..

It won’t be trusted by your device because no trusted CA will ever sign a certificate to google.com to you without proper domain verification. It did happen with Diginotar but that CA got banned immediately

Hi bro

Ur tamil

yes from chennai