Certificates and Certificate Authority Explained

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what is going on guys my name is Hussein and in this video I'm gonna discuss certificate authorities it was a very popular topic that a lot of people asked me to do so I'm talking about it again in this channel in order to talk about anything we don't ask the what it is we don't ask what is a certificate authority we don't ask what is a certificate we ask why does it exist and that just immediately answers a lot of questions because why does this deck exist there is a reason there was a problem at one point and we ran into it and we needed a solution we invented certificate for that solution and then we ended invented something to manage the certificate and that's the certificate authority so let's jump into it class example I have a client you guys love this hand motions don't you and you have a server right have a client the server they want to establish or simplicity's use HTTP right I know TLS can be established on another protocol but simplicity rules this is a web server caddy right and it's running on port 443 and and and let's say this web server is mm I don't know supposed to be Google right and this is a client about to consume the Google home page what do we do first we establish a TCP connection assuming HTTP to HTTPS read is not correct but let's assume HTTP - I'm assuming TCP connection three word handshake all that jazz now I have a stateful TCP connection so before we send any data the get request to actually give me the information from Google we establish the the other ssangshik talked about TLS all the time check out these playlists really the TLS I'm gonna make a playlist just four TLS because I have a lot of videos on TLS all right so now we establish a TLS right why TLS well we need to encrypt we need nobody we don't want anybody in the middle to actually sniff our stuff right I don't want people to see what I'm searching for so now I'm gonna do TLS hello all that jazz let's agree on a key so we the same key encrypt and decrypt right so there's simple stuff now the client and the server agrees on the key and then now the client sends the first get request encrypts it first with this with the same key that day I agreed upon and then send it the information the server receives that encrypted request anybody in the middle cannot find out what the heck they have they are talking about because it's encrypted nobody has the kicks of those two Google server receives that encrypted decrypted read it process that request build an index.html ship it back no before we ship it encrypted the same key ship it back and the client does the same thing decrypted crosses and weren't there on the page or whatever now how do I know that as a client I am actually communicating with Google you might say well I have the IP address doll right I have the domain I was just literally type in google.com what the heck are you talking about of course I'm going to Google unfortunately it's not that easy because let's rewind the same thing that we talked about here but with a caveat client beautiful client a beautiful server Google and here's the thing and about to send the client hello to agree on the TLS handshake right and this symmetric key I send it someone in the middle says wait a second and you can you can do this not easy buddy it's possible with some men Hoover and the routers so I intercept your request the packet at the layer four level that's enough for me because I need to read your TLS parameters and I will see that oh you want to go to google.com okay I am going to stop right there and I'm gonna response respond on behalf of Google because I don't know IP address of Google I can respond as if I came from Google I'm gonna put the IP address of Google there but actually it's it's just some shady Karen right so Karen replied back with its own TLS parameters impersonating Google you have no idea that this happened right because at the client-side you got a key how do you know that this is Google ski or it's just a key it's a random number right I'm assuming this you got you didn't get a key you get a number and that's the diffie-hellman parameters here and then what will happen here is the client thinks that talks to Google but it's think it's talking to some random Karen right and Karen have the keys now and then Karen what it does to make things even more legitimate it establishes a two-way communication between itself and Google and then start establishing the keys so you have the Karen will have two keys Google key and the clients key and it will start just man in the middling very easily after six minutes I will now explained we needed something to verify that Google is actually Google that Yahoo is actually yeah well the hell uses girl yeah oh these days Bing is actually Bing right and and all these other websites right how do you know so we need some surface certificate that proves that this is Google and you might say well I can fake the certificate right because cuz I can I can just say hey I'm here is me I am Google and I can as easily as Karen Karen can as easily says hey I am Google this is the certificate right so the certificate by itself telling you that this is Google even that is not enough so we invented some other third party there both those guys trust that's the only solution we have today we need to introduce a third party that signs that and and kind of proves that this is Google and nobody can fake that right and that certificate that is called a certificate authority things like let's encrypt things like digi sign things like antitrust whatever all of these certificate authorities have certificates that they they use the public and private key mechanism very similarly so and and now let's talk the whole thing again with the certificate authority sorry so Google in order to start up even a web server running on port 443 with TLS it has to provide a certificate otherwise the web server well it will start but we'll have an invalid certificate that's that's a must for HTTPS so how do you do that you obtain Google or Weber website talks to a third party called the certificate authority and says hey my name is Google Google comm and I live here here is my public key where is my private key is my information please give me a certificate so that third party which is let's encrypt takes that information encrypts it with its private key that the certificate authority private key and then now you have had signed things up like a signed certificate right if we took the same scenario client and server client communicate with a server and then establish justification and then client hello and then the server hello we'll send the certificate and here is the important part the client what does it do next it has a certificate it needs to verify the certificate that is actually Google how does it do that very simple process it it says it claims that okay I have a Google certificate let's encrypt first of all I do I trust let's encrypt at all right in my client application I do trust it because it's installed with my operating system that and I'm not gonna go through that but there is something called the root certificate that there is a parent certificate authority that signs that trust let's encrypt and that is trusted on my machine so now okay I trust that okay I'm gonna take your public key which is either a certificate authority which is available I'm gonna encrypt the content that is available and that the Google does come sent me right google.com and I'm gonna compare it against the encrypted port that remember that the certificate authority actually encrypted now if those two matches that gotta be the certificate authority it's gonna be trusted but if those didn't match that means someone changed it right because nobody can actually fake the signature because nobody has the private key of the certificate authority except the certificate authority and that's how the trust happens right so now let's throw in Karen in the middle so Karen if I communicate with TLS and then and I said okay TLS hello to the server and Karen intercepted and says okay server hallo well Karen doesn't have Google certificate so it's gonna fake a certificate saying oh this is google.com I'm I am google.com and well officially if she says that she is google.com then she needs to a certificate authority to to sign it nobody nobody obviously will sign that for her because she's not Google right but if she managed to self sign it which is very easy then she's gonna self sign and claim to be Google very easy you can do this with the open SSL just generate a self signed certificate assuming your Google and reply back right and then the client will look at this okay do I trust Karen self signed certificate authority now I don't trust that what the heck happened I want to Google and now I'm getting this error so we get an error dad is nasty right that is very nasty and that's immediately we're gonna terminate the TCB that's the that's the good clients right but imagine Karen have have is dealing with a certificate authority that is trusted and managed to trick some certificate of authority to sign her certificate as if claiming claiming that she is Google let's say that is possible to very hard but it happened before by the way guys a leaked certificate authority private key was leaked and people started generating certificate based on that certificate authority and then just that that immediately shattered that certificate authority trust immediately yeah but let us imagine Karen did that she got private key of the certificate authority and she generated a certificate authority certificate for up claiming to be Google and reply there the client will look and say oh I trust this let's encrypt or I trust this whatever certificate authority and that it will allow it in that case that's why I always always always like to click on the padlock when I am a public Wi-Fi and look at actually that the chain of a trust is like okay who's actually sign is it really Google and it's really is it really the actual Google root right or is this some other stuff and here's another thing that a government of Kazakh Stan wanted to do and this is what I want basically to spy on people so what it did it it uses an HTTP proxy terminating TLS terminating proxy for all its citizens right try to and it forced it wanted everybody to install a root certificate on every single device on catalyst on and I'm gonna reference the the link below alright it wanted to do that I think it says now it's they didn't that didn't happen I think right I think that didn't happen yet but here's what ever wanted to do they wanted to install that root certificates in government of Kazakhstan to be a trusted certificate root right to be installed in every device so now if I am if I'm a citizen in Casa Hostin I'm using my android phone and I have the government of Kazakhstan root certificate and I want to go to Google first they will not allow you to access the entrance without going through their HTTP proxy that that's very easy because there is peace or they have RSP in their pockets so they can do now they can forward all the traffic HTTP traffic HTTP HTTP is easy everybody can see that I'm not talking about HTTPS they terminate the HTTPS like they negotiate the keys between you and that HTTP proxy and return a certificate claiming them to be Google right signed by the government of Kazakhstan certificate authority shipped back right and first of all so yet is gonna make that a course on behalf Duggal get back the results and then get the content and then ship back the certificate off that's going to be Google to that client and the client now look at the certificate or do I trust this let me look at my certificate roots on my machine and oh government of Kazakhstan just this thing this is pretty good crushed it and when in strategy you can establish the TCP connection once you establish it you start sending information and they terminate the TLS they decrypt the traffic they look at your what you're searching they can make decisions and if it's good they rien cut it in the back in and talk to Google they wanted to do that I don't believe they they was the exact seed because it's a huge invasion of privacy obviously right yeah so that's a some topic our certificate and certificate authority let me know guys if you have some questions write them below on the description description you cannot drive to the description write them below in the comment section and I'm gonna see you in the next one there are a lot of topics this is a very beefy topic I can I can talk about this for a long time and I am pretty much I missed a lot of stuff so let me know what do you have what questions do you have what do you think about this topic and do you think we have an alternative for two certificates the third party third party certificate authorities do you or not let me know in the comment section below I know there is a end-to-end encryption that allows you to do that with kind of fingerprints and all that stuff but I don't know much about it so for you guys expert out there let me know in the comment section below let's have a discussion and I'm gonna see in the next one you guys stay awesome

Info

Channel: Hussein Nasser

Views: 40,510

Rating: undefined out of 5

Keywords: certificate authority, TLS Certificate, SSL Certificate, CA ROOT

Id: x_I6Qc35PuQ

Channel Id: undefined

Length: 16min 23sec (983 seconds)

Published: Sun Jun 07 2020