"How do you think he does it, I don't know... what makes him so good?"
TLDR: There are two kinds of SSL/TLS certs - CA Signed verified certs and Self Signed unverified certs. Both give you an encrypted session that can't easily be hacked. If you get the address from someone you trust, you are theoretically just as safe with a self-signed cert as with a CA verified Cert. Read below for full details.
For a long time people have called me some variation of a PC wizard. In the past, it has always meant, "he is really good at computers," but lately - I feel like being a PC wizard has actually become perceived as something like being a master at arcane mystical knowledge that is unknowable and out of reach to the majority of the population.
Recently I put up a private-blog and web/telnet BBS at:
Feel free to visit and create an account if you want to hear even more of my thoughts, ramblings, opinions and experiences.
I had decided, like many of my friends and associates - that I had lost faith and trust in the large corporations that increasingly have a choke-hold on the flow of information on the Internet. John Gilmore is famously quoted as saying, "The Internet interprets censorship as damage and routes around it". This is true. The decentralized design of TCP/IP, the backbone protocol of Internet traffic - is designed to break traffic into packets, and send those packets out over multiple routes to the destination, and to reroute if one route is broken or unreachable. Sites like Facebook and Twitter became whirlpools of self-contained Internet traffic - destinations like a digital Hotel California, where you can check in any time you want, but you can never leave. The trick is, you opt into this Faustian agreement - by simply becoming so consumed with all of the content contained within Facebook's network that you seldom venture outside it. When you do, you go to some other dominant destination. Twitter, Google, Amazon. They don't need to worry about the Internet routing around censorship, because you're only consuming data within their private networks, which they control the flow of information within. Increasingly, they assure you that anything outside of their network is "fake news," is "untrusted". It hasn't been "fact-checked".
So, I put up an alternative. The number one reason people tell me they don't visit the website is because they get an ominous warning in their browser that "This site's identity can't be verified and may be trying to steal your information."
The alert above warns that "Your connection isn't private," and then describes that "attackers might be trying to steal your information from secure.wallofhate.com (for example, passwords, messages, or credit cards.)"
This is where being a PC Wizard comes in. People see this warning and they imagine that hackers are going to use a site to infiltrate their PC and gain access to their banking and financial records, watch them on their security webcams, and take control of their connected refrigerator and other appliances.
The warning is technically true. The site claims to be a site, and it can't be verified that the site is really who it claims to be. If you get an e-mail or text telling you that your Bank of America card has been compromised, with a link to click on, and you click it and get this message - then by all means run away. They're trying to get you to enter your account information on a fake site so that they can then log in to the real site and get access to your account. That is how a phishing scam works.
But if a friend you trust gives you the URL to his personal or private website and you click on it and get this message - you're fine to proceed to the site - especially if you're smart enough not to use the same account name and password on his site as you use on your Bank of America and Verizon accounts.
Here is how this works. In the early days of the internet, we used a protocol called HTTP (Hyper Text Transport Protocol) to connect to sites on the WWW (World Wide Web). For most people the WWW has become the internet. It wasn't a big problem when you just logged in and read a page. But as web pages became more interactive, and started to hide behind account logins that required passwords and had confidential information - this became a concern. When people started using public shared locations to access those sites, it became a HUGE problem. HTTP in an unencrypted, plain-text (or clear-text) protocol. Anyone sharing the network with you can look at your traffic and see everything you type in and send to the server with HTTP. It was very easy for hackers to go to a Starbucks or airport or hotel lobby and set up something called a "Man in the Middle" attack, where you thought you were connecting to Starbucks, but you were really connecting to their PC, which was impersonating Starbucks. Their PC would in turn hand you off to the real Starbucks connection, but all your data passed through their PC, where they would log it and steal it.
So, HTTPS, or SSL became popular. It is an encrypted tunnel protocol version of HTTP. Your PC connects to the destination site, they share some magic information back and forth, and set up an encrypted tunnel before any user information is exchanged, before any log-in or post is written or account information is viewed. It doesn't matter if there is a man in the middle, because the data isn't in clear-text. They can see that data is going back and forth if they hijack your connection, but they can't see what that data says. Of course, hackers figured out how to crack that encryption, and so now it is a cat and mouse game of the encryption improving, and then the hackers cracking the encryption algorithm, and then a stronger encryption algorithm being designed.
This part gets a little complex. It is the part where people start going, "You've got to be magic to understand IT." To enable SSL/TLS the site owner adds a thing called a "Certificate" to their webserver. It is a file that verifies that the site is who it says it is. It makes sure the names all match. I can't just put up a server called "https://google.com". The Internet has to be sure that every site on the internet is unique and matches a known IP address. This is how you type in a site name and get there. You talk to a thing called a DNS (Domain Name Server), and the DNS server looks at the name you want, looks at a list of names, finds the name you are looking for, turns that into a numeric IP address, and then sends you there. It is a little more complex than that - but that is the basic way it works. But I can get the domain name support.ru and then put "google" in front of it on a server and create a server called "https://google.support.com" This is far different than a site called "https://support.google.com" One is obviously real to an IT pro, the other is obviously fake. But to an average user, they both look like Google's real support site. But I can also send you a link that LOOKS LIKE "https://support.google.com" in an e-mail, but then redirects you to a site called "https://google.support.com" and that even might trick some IT pros if they're not paying attention. Certificates make sure that the site you are going to matches the name of the server. So, if the cert is for "support.google.com," the cert needs to be issued to "support.google.com". If it isn't, it'll warn you that there is something wrong with the cert when you try to connect. Which it should.
The browsers, made by companies like Google and Apple and Microsoft, started adding these ominous warnings designed for the lowest common denominator of Internet User, that warned if something seemed wrong with the Certificate. If there was a mismatch between the name on the cert or other issue that could possibly indicate the site was fraudulent.
At the time the idea was that if you were accessing a site over the Internet - the cert needed to be verified and issued by a trusted 3rd party authority. These are called Certificate Authorites, or CAs. They are a handful of big corporations not unlike Facebook, Microsoft and Apple - who have the sole authority to issue "trusted, signed certificates". Generally speaking they charge money, and it isn't cheap, for a certificate - and they make you go through some fairly involved hoops to verify you are who you are and you actually own the site for which you are getting a cert. It isn't an inherently bad thing. It actually does make the Internet more secure and more trusted.
But this is where average users not understanding the technology becomes a problem. When Information Technology started down this route, the idea was, "If you are hosting a public Internet site that anyone can connect to, you need a CA issued trusted signed certificate - but if you're hosting an internal company or business webserver, the IT staff can tell the users to just ignore the frightening warning message that the certificate isn't trusted."
So, the industry came up with a thing called a "Self-Signed Cert". That just means that the website operator knows they are the site they claim to be, knows they own the site, and doesn't need to spend money or jump through hoops to make the site secure, encrypted, and available to their employees. In fact, a site with a self-signed cert that is administered by competent IT security professionals is safer than a site with a CA signed cert that is administered by morons. The number of security breaches at high profile sites over the years proves this is true. The cert itself doesn't make you, or your data safe. The knowledge of the people running the site, and your own knowledge, are far more important to your data security than a Trusted vs. an Untrusted certificate. To be absolutely clear - everything else being equal - a self-signed certificate has the same level of encryption and security as a Trusted Cert verified by a Certificate Authority - assuming you trust the site operator.
The problem seems to be that people don't understand the frightening message their browser puts up when they hit a site that has a self-signed certificate. They think maybe their browser knows something they don't - that it has detected some sign that the site has been faked. If the user knows the site and received the site address from a trusted source - their web browser knows less than they do about the authenticity of the site. All the browser knows is that the site has a cert that is self-signed and not issued by an official Certificate Authority. That is literally all the dire warning about attackers trying to steal your information means. Your web browser doesn't know this - it just knows that this is something that attackers trying to steal your information do.
Increasingly - this results in a troubling situation. It reinforces the tendency of average users to stick to large, official corporate websites and to run away from safe, but . Certificates become more like a license and registration to host a "reputable website". A secure SSL/TLS website is a secure SSL/TLS website - even if it is a scam site, the data transferred is encrypted. If you were connected to a scam website, other cybercriminals in between would not be able to see the encrypted data transferred between you and the scam site, if it were over a SSL/TLS connection. Only the cybercriminals on the other end would have access to that data. SSL/TLS is secure, regardless of it the site is self-signed or used a CA verified cert. So self-signed sites are more like pirate radio. Unlicensed and unregistered cites that haven't gone through an official verification process. In the early days there was a lot of talk about the "Democratization of the web," and how it would allow everyone to have a voice that can reach anyone else. SSL/TLS is, perhaps unintentionally working against that goal at this point. More accurately, it may be being intentionally abused by the Big Tech industry to silence voices that Big Tech doesn't want heard. If so, all that Big Tech is doing is using consumer ignorance about the technology to scare them away from sites that do not use CA issued certificates. This is probably not healthy overall for the web, for the consumer, or for the spread of knowledge. To few big corporations control the flow of information in our society - and unfortunately SSL/TLS has become a tool that helps them maintain this control.
SSL/TLS is necessary and a good thing - but consumers need to understand it better - and browser companies should consider changing their warnings or linking to better descriptions of what those warnings mean. If they're going to scare the public about sites that do not have CA issued certs, maybe it should be their responsibility to educate the public better, as well. Right now their approach is either lazy or intentionally disingenuous. One is irresponsible, the other approaches being evil. The question I increasingly find myself asking is who is bigger threat to me, the scammers that want to steal my money, or the corporations that seem to want to steal my voice?