Some funny SSL stuff

Author: Martin Voelk
February 13, 2016

Everyone knows that you shouldn’t use self-signed certificates because they are not trusted by browsers natively and generate an error message. If users get used to accept untrusted certificates, they won’t know the difference between a self-signed and a man-in-the-middle attack. I think most Admins are clear about that. This is why there are CAs like Verisign, Comodo, Godaddy and so on.

But when it comes to Google everything is funny. Many people don’t know that Google runs their own CAs and so it must be natively trusted right because it’s Google?!? This is unfortunately, what the Internet has become. A company just needs to grow big enough and then form their own trusted CA and every browser trusts natively. German Telecom is the same thing.

No user would trust company X with a self-signed certificate over their portal login. Yet if it’s Google or Youtube, all is nicely signed by themselves and the little green lock shows in the browser. All good and safe 🙂 Happy Internet

Screen Shot 2016-02-12 at 22.52.32