Why are self signed certificates not trusted and is there a way to make them trusted?

  • 9,000
  • Tác giả: admin
  • Ngày đăng:
  • Lượt xem: 9
  • Tình trạng: Còn hàng

Actually, self-signed certificates can be secure, just not under the model we're using now.


Under the wide-spread CA (certificate authority) model that everyone uses currently, the purpose of the certificate being signed by a trusted CA is to tướng provide authentication.

When we get a certificate, all we really see is 1's and 0's coming in from the jack in the wall; we have no idea where those 1's and 0's came from. However, because the certificate is signed by a CA - something that no one in the world other phàn nàn that CA can tự - and because we trust the CA to tướng verify the identity of the certificate's owner, we trust that the certificate comes from who it claims to tướng.

Of course, if the CA is compromised or doesn't correctly verify the owner, all bets are off.


However, there is another model, under which self-signed certificates do provide authenticity. It's called the notary model.

Essentially, rather phàn nàn trusting a single CA, we distribute the trust to tướng any number of notaries. These notaries scour the Internet in tìm kiếm of certificates, keeping a cache of all the certificates they've seen. When you visit a site for the first time and obtain the certificate, you ask a number of globally-distributed notaries what the last certificate they saw was. If they disagree with what you're seeing, you could be a part of a man-in-the-middle attack.

Under this model, self-signed certificates are perfectly secure, as long as we assume the server isn't immediately compromised before any notary can ever view its certificate.


The notary-model is still in its infancy, and its doubtful it will ever take over the CA model (actually, it doesn't have to tướng - they can be used in tandem). The most promising project so sánh far is Convergence.io, which has a plugin for Firefox.