As we all know, when an SSL Certificate is assigned, there is a trust chain that

Question

As we all know, when an SSL Certificate is assigned, there is a trust chain that is created for verify everyone from the Certificate Authority to the actual website's SSL Certificate.

Thanks to a good discussion with a security expert, I am lead to believe that this trust chain is flawed by the way it is done. After so long in the chain, it seems like you are just blindly trusting everyone that assigns/controls the certificate, even the Certificate Authority.

Is this method blind trusting the Certificate Authorities, Root Authorities, and everyone that processes the SSL Certificate?

I do see this as a major flaw in the system which we hold dear and use.

Explanation / Answer

I would not call it blind trusting, but yes - you rely on the trustworthiness of the root certificate and all the intermediate authorities on the way depending on the implementation and configuration.

A website's certificate is verified with a CA. In order to make sure this CA is indeed the actual CA you intend to trust, you can verify its own certificate with another CA above it in the hierarchy... this repeats itself until your reach what is called a root certificate. This certificate is validated by your software which has a list of root certificates it trusts. This can be managed by the OS or by the application itself.

Hence eventually all your security relies on this path from the root certificate all the way down.

Attack vectors include:

An attacker manages to install a malicious root certificate on your PC it is game over.

An attacker manages to fool one of the CA's or exploit a vulnerability and own a CA

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.