0

I recently heard from one of my friends that we can create our own SSL certificate.

So IF I am going to create a fake SSL cert for a fake bank site, its going to auto get HTTPS and say secured in browser address bar right?

So how safe are HTTPS sites? (with respect to fake sites)

Srinath Ganesh
  • 135
  • 5
  • 1
    Possible duplicate of [Is Spoofing a CA signed certificate possible?](https://security.stackexchange.com/questions/20059/), [Why are self signed certificates not trusted and is there a way to make them trusted?](https://security.stackexchange.com/questions/112768), [Why is faking SSL certificate difficult?](https://security.stackexchange.com/questions/11832). – Steffen Ullrich Jan 07 '19 at 08:44

1 Answers1

3

Your fake certificate need to be signed by a Root Certificate. Root certificates are owned by Certificate Authorities. Certificate authorities are trusted by operating systems and browsers and their certificates are implanted in our devices. If your fake certificate can't be verified by any of these authorities certificates then you cannot have that little green lock in the browser.

daygoor
  • 138
  • 6
  • that solves most of my doubt, then how does do sites like https://www.sslforfree.com/ work? – Srinath Ganesh Jan 07 '19 at 09:14
  • 1
    @SrinathGanesh in their website they say "**Let's Encrypt** is the first free and open CA. We generate certificates using their ACME server by using domain validation". **Let's Encrypt** is a free Certificate Authority who says: "As of the end of July 2018, the Let’s Encrypt root, ISRG Root X1, is directly trusted by Microsoft products. Our root is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry." – daygoor Jan 07 '19 at 09:31