What's the point of SSL certificates?

Tag: ssl , https Author: dingctai Date: 2013-04-28

Doesn't everyone in the world have a copy of Gmail's SSL certificate? If so why does our browser trust gmail.com just because it sent me this certificate? Can't any old person send me this same certificate just by going to gmail.com and downloading it?

Best Answer

No. The server sends its certificate and a digital signature signed by its private key during the SSL handshake. Only the true certificate owner can do that.

This is all described in RFC 2246.

Other Answer1

Read up on... http://en.wikipedia.org/wiki/Public-key_infrastructure

Basically google sends down its public key to your browser through SSL. How can the browser trust it's really google? The public key in turn is signed by a CA (certificate authority). The browser is pre-configured with well known CAs.

It's not possible (or to be more precise hard enough to be impractical) to forge google's cert. That's because you don't have google's private key. Unless you used this same key, your forged cert would fail validation with the CA.

comments:

GMail's certificate is signed by a CA. Doesn't answer the question of why anybody can't send GMail's certificate.
@EJP see my edit
Still incorrect. The server sends the entire certificate, not just the public key which is inside it, and sends a signature over the certificate, not just the public key. If you use the wrong private key, the digital signature check fails: nothing to do with the CA. The proper reference is not Wikipedia, which doesn't mention what you describe here, but RFC 2246.