How does Google get away with using a self-signed certificate?

why does it matter anyway if its self signed?

What's the point of having the certificate if it's self signed?

>use self signed cert
>every browser blocks your page and tells the user it's unsecure and that they need to "add exception"

>be google
>browsers don't complain about self signed cert
How the fuck is this legal?

Law doesn't apply when google does things to others, why should it apply when I do things to them

By running their own Trust Service.

Because you don't understand the certificate trust system and the browser doesn't understand your personal signed certs for your personal services.

please explain, I'm also curious.
Is it because googles is issued by an actual cert agency (google) so it's legit and other self signed (by non cert agencies) are untrusted?

It's time to learn something: The S in HTTPS is a lie.
There is no law, no regulation about which SSL certificates is trusted and which one is not.

Each browser has its own database of certificates authorities (and they are not always the same, a CA could works on Chrome but not on Firefox). The OS also includes a "system" database. On most Linux distribution, the system certificates come from Mozilla and are installed from the package ca-certificate.

Now come the main problem about certificates: a root certificate authority can sign certificates for **any** domain name. And yes there are trusted CA in a lot of different countries, like China.

In other words: If anyone of the hundreds trysted CA decides to create a valid certificate for any domain (including sensible ones like .gov), they can.

>It's time to learn something: The S in HTTPS is a lie.
The point of HTTPS is encrypt, nobody cares about the rest bullshit (((certificate companies))) want to push upon you.

HTTPS means "HTTP Secure". Obviously the "Secure" one is false.

HTTPS has its advantages over HTTP: you can no longer perform passive attacks.
But it's good to keep in mind there is a hundred of companies which can forge valid certificates that can be used on MITM attacks.
it's not within everyone's reach, but we've already seen compromised CA.

E2E encryption.

See for yourself

tedunangst.com/flak/post/moving-to-https

you are right
but also
this.
No matter if a certificate is trusted or not, the encryption is there and this is the biggest gain of TLS. The TLD might be spoofed if the certificate is faulty but this is not really that relevant.

Despite this, I'm pretty sure that TLS is generally backdoored and can be listened to by authorities.

E2E is given, no matter if the certificate is trusted or not.
The point is that green security sign next to secretonlinebanking.com is genuine and the url is not spoofed. (eg. leading you entering banking data into a fake banking site although showing as "trusted")

Everyone can get green lock from lets encrypt

>nobody cares about the rest bullshit
Chrome does, so no signed cert = dangerous site warning = 90% less traffic to your site

It's a soft power grab.

>ITT retards who know nothing about PKI

Oh wow, it's almost like if you're a trusted Cert Authority your certs are trusted by browsers.

Attached: Screenshot_20181018-155832_Browser.png (720x1280, 114K)

What's the point in trusting a 3rd party to trust 2nd parties?

Your browser has the certificate saved beforehand so it can be verified without 3rd party. There is no problem with self signed certificate as long as you (or your browser) has verified that certificate

The whole point of a certificate is to provide assurance that the encrypted connection your computer is about to establish is the genuine server you intended to talk to and not an imposter (via MitM attack, DNS cache poisoning, whatever).

Self-signed certificates aren't any less secure than a certificate signed by a trusted 3rd party CA. You can just tell your browser / OS to trust the self-signed certificate that was generated and you'll be good to go. Obviously you run into issues when you have external users with web browsers that won't trust your certificate, but for that use case you look into Let's Encrypt or buying a cert from a 3rd party CA.

In those latter cases your computer is still trusting that the 3rd party CA isn't compromised and hasn't had their private keys stolen, or that the server endpoint you are talking to isn't compromised in some other way.

If the claimed URL isn't already used by someone else retard. You have to have full controll over the URL to get a certificate by Lets encrypt

>Verified by: DUDE TRUST ME

Literally what does it matter? People don't look at URLs.

Thats why the green lock symbol left of the url and the absence of a certificate warning was introduced.
Also when users can't type the url it's not the fault of TLS.
Do you know anything about TLS and why it was made?

See Youre going in circles.

yikes

Attached: irony.jpg (1587x1096, 60K)

Meanwhile on my router...

192.168.1.1/

The certificate is not trusted because it is self-signed.

lel

Attached: Capture.png (773x180, 7K)

none of these shit matter anymore anyway since heartbleed

>Despite this, I'm pretty sure that TLS is generally backdoored and can be listened to by authorities.
You can't backdoor TLS, at best you can mitm

As someone who runs a server for a game you're not supposed to run custom servers for, working self signed certificates are the easiest thing to work without the unrecognised certificate meme. I used openssl and it was fine (to spoof as the URL) and my website showed under theirs.

Maybe it's an openssl thing though

It's obvious that your normie browser is gonna warn you that the website is "unsafe".

Didn't you read what
said?

Attached: 5534.jpg (1280x720, 53K)

This is why I'm working on designing an autistic protocol that prevents this :^)

no need, it already exists - onion addresses.
when the key hash is part of the address there's no need for CA