Why is google allowed to verify itself

why is google allowed to verify itself

Other urls found in this thread:

twitter.com/errstr/status/883446170101657601
twitter.com/SFWRedditVideos

probably because google trusts itself

can't anyone do this?

i dont

twitter.com/errstr/status/883446170101657601

dont trust anyone
not even yourself

google is considered a trusted certificate authority by your browser/os

i don't see the potential issue here. in what way do you think the purpose of the certificate is impaired?

what this guy said
The problem with identification is getting the certification to the client. Since we obviously can't supply a program with self-signed certs for every possible server, we use 3rd-party servers.
In other words, there's nothing wrong with self-signed certs, only with making sure they are who they say they are. SSH basically works with self-signed certs all the time.

lost

That's because if you trust Google you trust Google

>SSH basically works with self-signed certs all the time.
Samefag here, I do know there are options like SSHFP records but they are not very widely used

Google is a certificate authority. So whatever claim about identity of a website they make, your system believes it. It doesn't make a difference If google authority or some other authority claims that google.com is indeed owned by google company.

another samefag, the problem is of course to get the authority certificate to the browser. this is managed by the browser or operating system. updates often add or remove authorities.

on windows you can run certmgr.msc to see the certificate authorities.

You don't have to.

That's not what it says. It doesn't say this browser trusts this website. It says google.com is trusted by google trust. It's entirely absurd. Don't try to rationalize how fucked up certs are.

>It says google.com is trusted by google trust.
You're confused. If Google is a trusted CA by your browser, it doesn't make sense to require google's sites to be "trusted" (aka: certified) by someone else' CA. There's a short circuit in your reasoning but probably you can't see it since you're a brainlet.

Certs are all about centralized authentication. You personally get to choose which CA you care for.

>It says google.com is trusted by google trust. It's entirely absurd
Its not absurd at all. The question is if you system trusts the claims google trust makes or not. What difference would it make if another authority, e.g. Symantec, would guarantee the identity of google.com?

>make my malware botnet
>release it on github
>make my malware website
>make it the homepage of my malware bot
>"Malware botnet certifies that malware homepage is safe"

Do you see how stupid that if you apply it to normal people and not Google.

wouldnt work.

you would get one of these messages

normal people are not google and thus they are not CAs trusted by browser vendors, your reasoning is invalid.

>if there's https on a page, then the content of the page is "safe"
>https = no virus
you're not that ignorant, are you?

The DoD has the same thing.
DoD is a CA, so they can verify their own sites.

it seems you don't understand what certs actually certify.
strictly speaking, one could use Let's Encrypt and certify whatever they want (without being a CA themselves, but being a CA doesn't mean jack shit)

>twitter.com/errstr/status/883446170101657601
jesus fucking christ.

Lmao, nice