What are SSL/TLS Certificates? Why do we Need them? and How do they Work?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what is going on guys my name is hussain and in this video i want to explain why do we need digital certificates or those certificates that we basically when you communicate to a secure web server you get this beautiful secure connection and we get this sketch.io which is the website i'm using right now it's it's uh signed by this certificate authority and it's started by this why do you need the stuff why why do you need the certificate all that stuff so if you're interested stay tuned alright guys so if you know this channel we always ask why we don't ask what because if i ask you what is a certificate you can always define but why do we really need it so we now in this video i'm going to start pushing into the reason why did we invent certificate because there is always a problem and you solve it in a certain way so how about we jump into it so the there are here's here's a client right let's say this is a javascript client i don't know fetch command c-sharp client anything right it's about to make a good request to a web server i don't know apache right or um nginx right anything so let's go about to consume some content from this web server and you want to send a git request right right and we know that we cannot just send information just in the plain text because some karen here can sniff easily because it's not encrypted so what do we need to do we need to encrypt it well how do we encrypt stuff guys there are two types of encryption symmetric and asymmetric but let's let's stick with symmetric it's a key right just like a a vault when you have a key right the key can open the vault right and can also lock it so the same key locks and unlock that's the best encryption algorithms right symmetric keys because it's way faster right so we have that's good okay so all we need to do is for this guy and this guy to have the same key and call today well here's a problem how do you generate a key here right and the same key also here all right that's a problem you might say well i'm going to generate it in the client and send it over right but the moment you send it over karen can pick it up right we don't want karen to pick up our symmetra key because the moment it does if he picks it up then she can see everything uh behind uh that we communicate with right so we cannot use symmetric key like that right so what we did is we invented the idea of public key encryption okay and public key encryption is really simple if the server gets two keys one red key and one beautiful blue key right this is called the private key this is called the public key private public so either way works if you can use the public key to encrypt and if you use that only the private key can decrypt right and vice versa you can use the private key to the to encrypt and the public key also will decrypt right so it's a it's a it's a flipped operation so the public key can be shared with everyone right in this case here's what we can do let's just run through the scenario right and all right so how about we run the same algorithm here it says okay the client will generate the symmetric key that we want to agree upon right it says okay this is the golden key the green key all right so i have that green key this is the symmetric key i need to send this somehow to the server here's how what we can do the server the client will say all right i want to establish a communication with you sir but it's not going to send the semester key it's just going to say hey i want to establish a communication with you this is by the way tls and we talked about tls but this is going to be a different version of tls so hey i want to communicate with you and then the server says okay here's my public key son right that is my public key take it take my public key beautiful take it and use that key to encrypt that symmetra key and send it over so that the client does exactly that so the client will take that symmetric key and then it's going to encrypt it with the red key which is the public key right and now if it encrypts it with the pop and now when it takes that the encrypted version of the symmetric key is going to send it over obviously guys this is the old method it's not recommended for perfect forward secrecy reason but i want to explain things from the startup from the from the beginning right so i take that and send it over all right and guess what if the server receives that right if the service reads that it actually can use the blue key which is the private key it to actually take that key and then have it now that both of them will have the same key and guess what if karen starts sniffing here she will get that key but she will get that text that has the encrypted symmetra key but guess what she cannot do anything about it she cannot decrypt it because it's a again she doesn't have the private key of the server so that's one way of information and they can send it over well and then once you have this information both both party can start communicating so i'm gonna start extending my get request i'm gonna encrypt it with the beautiful lock and i send it over and now that the stuff will be encrypted right so that's how we do encryption what's then there's no certificates or anything right what's the problem with this well here's the problem guys if i now did the same thing here right i have i'm going to make a request to initiate and i and the server will send be what they will send me the the server will send me the public key right it's public that's awesome right that's not bad right however how do i know that sneaky karen right here cannon is yellow and karen also have a public key and also have a private kiosk i don't think this is the private key of canon this is the public key of karen and karen intercepted the message and says noob server i am going to send to the client mikey right so now the moment you do that how does the client know that this is actually karen's key or the server's key there's no way to know that this this key belongs to the server this could be on to anyone else that's why we needed some sort of a certificate i don't know how to draw a certificate is that supposed to be a certificate that's not supposed to be a certificate that proves that this public key belongs to the server and meet certificate authorities that signs those stuff and we talked about certificate authority so that's why we need a certificate of authority so here's what we do with certificate authority let's go let's run through this again right so here's what do we do so what the server does says okay hey certificate authority which is a third party here yo i have a public key and i have a private key i'm not going to send you my private key i made the mistake and said i accidentally said in the other video that i sent the private key that's not correct it's just it's it's just a slip we send the public key of the server right so that's the red key so the server communicate with a certificate before before we does everything before it does anything right let's remove all that stuff right so the server before it does anything it actually communicate with a certificate of authority to generate a certificate for for its public key so it says okay here's my public key certificate authority i want you to sign it okay so the certificate authority will return with a signed certificate and here's how it looks like it's basically it's a certificate right it has the server name which is i don't know engine x.com whatever the server name here and it says hey this is the public key that's the public key and here's a proof that we actually signed it and it's like we added a signature and what the heck is this and that is actually the this the certificate authority a private key right so the certificate authority has two keys as well this is the private key and this is let's pick another i'm running out of colors here so that's the public key of the certificate authority right and that's the private key so that's the public that's the private so the server the certificate authority uses the private key of its private key to encrypt to actually sign which is almost like encryption almost right and then assign that public key and then put added to the to the certificate author to the to the end of the certificate so now it's signed so now and guess what this certificate is also linked to its to an intermediate certificate which just says okay this is actually i this is the certificate authority certificate because we need to also trust the certificate authority right so that certificate authority also have a certificate a public key it puts the public key here and then also there is like a it goes up up of the chain until we get to the root certificate that's the root certificate right so there is a chain of certificates right so when the client gets this chain when when that when we start communicating and says okay i want to communicate with you says oh i'm not communicating with you anything before i send you the certificate so the the certificate this this stuff all this stuff is being sent to the client and the client the first thing it does it verifies the certificate and how it does it do it it says okay this is your certificate nginx.com which is your server right oh yeah okay i just receive it so even if yeah i did receive it okay so i'm going to take that that's a public key that's your public key but i'm not going to use it yet i'm going to see okay what is your certificate authority oh it is whatever it is let's encrypt right i'm going to use the public key of the certificate and i'm going to encrypt that stuff and i'm going to see will i get the same content right or is the other way around it's either can decrypt that and gonna match the public key if it matches that means oh that's actually correct and then the client will also verify that this is actually correct by going to the root certificate and says okay what's your public key i'm going to use it to encrypt and make sure that the signature of the certificate authority also varies because it does that i'm up until it reaches the root now the root doesn't have a parent so there is no signature here it's self-signed it's actually signing itself right so if it's signing itself so how do you trust you the road certificate is actually installed here right in your operating system it's just installed on every machine so if one of those routes is expired or it is invalid or it's not there then you're gonna get this error where you said okay let's show you this error here it is untrusted root right if you click on this guy this is has been signed says like hey that is ill and untrusted roots so this thing is actually untrusted it's a bad ssl untrusted route right so this this might be okay and it's have been signed a server but this guy is not trusted because it's not installed on our server i mean you can do and some people do that right you can just go ahead and install that on your machine and everything will work but you're gonna know what you're doing man before you do that right and some organizations some work organization actually allow forces you to install the their root certificate so they can look at everything you do right all right guys so that was like a quick video why do we really need certificates right and even if karen intercepted this and tried to respond back with her own certificate because she cannot fake all this chain right there's no way right so she can build her own chain but tough luck coming up with a certificate authority that will sign nginx.com right with her public key nobody will give her that right and there's like one case where a certificate authority was private key was exposed and people started issuing certificate that they're that are valid for google.com and gmail.com and it was like really crazy back then right so that was like that was one bad time where certificate happened okay that was like a short video talking about certificate guys hope you enjoyed this video give it a like if you like it subscribe to for more software engineering back and engineering videos and i'm going to see in the next one you guys stay awesome
Info
Channel: Hussein Nasser
Views: 133,492
Rating: undefined out of 5
Keywords: ssl certificate, tls certificate, web security, https website, certificate authority, ca certificate, x509, x509 certificate, 509 cert, certificates explaine, ssl tls, transport layer security, secure socket layer, networking, cybersecurity, security+, networking +, cyber threats, cyber defense, IoT, Wi-Fi security, SSL certificate, cryptography CA Certificate Authority, green padlock, https, http over secure sockets layer, public key infrastructure- PKI
Id: r1nJT63BFQ0
Channel Id: undefined
Length: 14min 35sec (875 seconds)
Published: Sun Jun 28 2020
Related Videos
Google Chrome and Firefox to Join Appleā€™s Safari in One Year Certificate Validity (My opinion)
Hussein Nasser
2.3K
Certificates from Scratch - X.509 Certificates explained
OneMarcFifty
22K
How to create a valid self signed SSL Certificate?
Christian Lempa
229K
Digital Certificates Explained - How digital certificates bind owners to their public key
Destination Certification
60K
TLS vs SSL - What's the Difference?
CISSPrep
18K
Difference between cookies, session and tokens
Valentin Despa
231K
Certificates and Certificate Authority Explained
Hussein Nasser
92K
Transport Layer Security (TLS) - Computerphile
Computerphile
416K
Public and Private Keys - Signatures & Key Exchanges - Cryptography - Practical TLS
Practical Networking
104K
SSL, TLS, HTTPS Explained
ByteByteGo
324K
TLS Handshake Explained - Computerphile
Computerphile
480K
Server Certificates - Self Signed and LetsEncrypt Certificates for the LAN
OneMarcFifty
10K
Digital Certificates: Chain of Trust
Dave Crabbe
259K
What is a TLS Cipher Suite?
F5 DevCentral
106K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.