Why do we think SSL is good?

Question

I know that SSL encrypts data so that the ISPs can't access it, but we are implicitly letting another source like letsencrypt.org that verifies openssl certificates to be able to decrypt the data. How can this make data transfer safer? I mean I created my own SSL but browsers don't accept it as a valid certificate and we are enforced to use a third party certificate. This only means that we let another company to control over our private data transfer. What makes SSL certificate companies not to sell our private key?

I'm not a native English speaker nor a programmer, please edit my question to be more accurate.

I think this has so many misunderstandings that this will be impossible to answer. I think you need to read how SSL/TLS works. OpenSSL is not "another source". You do not "create your own SSL" but maybe you created an SSL certificate? Third parties simply validate your certificate and are not involved in the data transfer. . — schroeder, Mar 12 '22 at 16:05
@schroeder Now I understand. So, SSL companies only check if we have the private key of the keys created by ourself with a proof test? — user1234567890, Mar 12 '22 at 16:11

score 0 · Answer 1 · answered Mar 12 '22 at 15:56

What makes SSL certificate companies not to sell our private key?

The SSL certificate authorities never have access to your private key. Nobody but you does - that's why it's called "private".

When you submit a Certificate Signing Request (CSR):

Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate) which must be signed using the applicant's private key. The CSR also contains the public key chosen by the applicant.

So the private key signs, but is not itself sent to the CA.

score 0 · Accepted Answer · answered Mar 12 '22 at 16:05

What makes SSL certificate companies not to sell our private key?

SSL certificate companies (also know as certificate authorities, or CA's) do not have your private key. The certificate signing request (CSR) that you send to a CA contains your public key, and a digital signature that proves that you are in possession of the private key corresponding to that public key. But, it does not contain the private key.

I created my own SSL but browsers don't accept it as a valid certificate and we are enforced to use a third party certificate.

That's a good thing. If your browser accepted just any certificate, then what would stop an attacker from creating a certificate for your site, and MITM'ing your site?

With regard to openssl, are you confusing openssl (a program which is used to implement SSL/TLS) with a CA?

With regard to the overall sentiment of your question: Yes, we put our trust in CA's. Most of the time, CA's do what we expect, but there have been instances where they've failed. See If an adversary took over a major Certificate Authority, what bad things could they do? for some interesting reading on this subject. Also, see https://moxie.org/2011/04/11/ssl-and-the-future-of-authenticity.html for some ideas by cryptographer Moxie Marlinspike on how we might be able to rely less on CA's.

So, my understanding of SSL was wrong. Based on what you say browsers have to check validation of a certificate to check whether the public key was sent by the owner of a website or by someone in the middle. Which means there was no other way, I have to relearn how Internet works — user1234567890, Mar 12 '22 at 16:34
@user1234567890 That's right. When you go to https://www.paypal.com/, Paypal serves your browser a certificate, which contains Paypal's public key. A CA (which is trusted by all major browsers) verified that Paypal's certificate is true and correct, and the CA signed the certificate. Your browser verifies the signature, and verifies that it was made by a CA that it trusts, so it trusts the certificate. — mti2935, Mar 12 '22 at 16:40

Why do we think SSL is good?

2 Answers2