Parliament Hill Computers LtdParliament Hill Computers Ltd

Why do we SSL need certificates?


Just do it

Irrespective of the technical reasons (below) — you just need to do it. Many of the browsers are hinting that non HTTPS sites as insecure; this will get worse, in July 2018 the Chrome browser will mark non-HTTPS websites as insecure, this will put people off from visting your web site.

Introducing the man in the middle

For SSL encryption to work the server and browser need a shared secret — the encryption key. As the two parties might not have been in touch before they need to exchange this secret over the public Internet. A way of doing this was worked out by Merkle, Hellman & Diffie.

This works well but has a big flaw: something sitting between the parties can speak to them pretending to be the other party; agreeing a different key and decrypting & re-encrypting the traffic on the fly, it is not hard to do this fast enough that neither party can detect that this is going on.

Such a machine is called a man in the middle. It is not very hard to do: the corporate Internet gateway could do it; governments have been doing this for many years.

Guard against the man in the middle

A SSL certificate guards against the man in the middle by providing the browser with assurance that the encryption key that the server suggests really does belong to the server.

The way that this works is that the certificate is signed by a certificate authority (CA) and the browser has, hard wired into it, the signing keys of around 200 CAs (typically). These CA signing keys are shared secrets.

Let's Encrypt certificate chain

The Let's Encrypt certificate is not (yet) pre-known to most browsers, however its signing key is signed by IdenTrust — which most browsers do know about.

This certificate chain information is provided to the browser by the Apache web server.


Next page: How Let's Encrypt works

Return to How to Configure Let's Encrypt with acme_tiny.py

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.