Sign in Subscribe
Writings

How To Better Understand The Internet - Digital Certificates and Encryption

Yani Diagne

4 min read
How To Better Understand The Internet - Digital Certificates and Encryption
Credit: FLY:D

Did you ever access a page and something felt off?

You felt a bit uncomfortable because the small lock in the search bar was red and open. Also, the page probably looked a bit sketchy too.

That doesn't mean anything good, right?

Well, I can tell you exactly what it means.

Your connection is not encrypted, meaning a hacker could easily intercept the data that you're sending over the network.

That data is clearly visible to anyone who has access to your network traffic. A lot of bad stuff can result from that.

Not good...

That's why it's useful to understand more about Digital Certificates.

Doesn't sound like too much fun at first, but it's actually pretty neat.

What should you understand about Digital Certificates?

They are a crucial component of the Public Key Infrastructure (PKI) - a framework that avoids exactly those problems. It's an infrastructure that manages and secures the exchange of digital information. Oof...

Let's solely focus on the Certificate aspect here.

Don't get too overwhelmed when you didn't get it on the first try, me neither.

I do now though.

I'll explain it to you as if a 6-year-old would take part in the conversation.

What do you need certificates for?

So, as I said before, you need digital certificates to authenticate your identity in a safe way.

It's your Digital ID.

Example

When you plan on entering a country, you go to the airport and you'll have to stop at the security counter to show your passport.

Only after you successfully identified, you can go ahead.

How can we apply this to Digital Certificates?

A reason for the passport control is to check if we are legit. The only difference to the certificates is that they don't get dragged into a police room if they're not.

Having a certification is not legally required. Websites can operate without them, they just don't provide a secure connection to their users.

What I mean by that, is a certificate serves as proof that something is legit since they contain information about the issuer and the subject. (Picture)

Medium's Certificate 

How does this apply to you accessing the web?

So let's say you are on a shopping spree, again.

You visit a website and plan on buying the heck out of that store. It would be a bummer if that site is not legit and you type in all of your sensitive information (credit card, number, address, etc), just for someone to steal it.

As mentioned earlier, if it's not verified, it's not encrypted, and your data can easily be seen by someone interrupting the data transfer.

So, let's replace YOU going through security, with a random WEBSITE instead.

If everything is fine and the website successfully manages to go through security, the website gets a Digital Certificate. They now have proof that their page is secure for users.

Certificates are not limited to websites, they secure many areas:

-Signatures

-Encryption

-Web traffic

-Smart cards

The police serve as a trusted authority for us, but the websites also need one.

But from who? Who is their trusted authority? Who is giving them these certifications?

It's called CA - Certified Authority.

They are a trusted third-party entity that checks the certificate holder (the websites).

Medium's CA is Cloudflare 

Are you still with me? Feel free to ask a question in the comments or shoot me a message if something is unclear.

So how does it work?

Now we're getting a bit deeper, but I'll make it as easy as possible for you.

As you can imagine, it is a huge challenge to prove someone's identity online.

Are they really who they say they are?

To solve this riddle, we are using encryption, a method of disguising data so that others cannot read it.

The solution: Asymmetric Encryption (sounds fancy, but chill for a second)

Here is how it works:

There are 2 keys: public and private

The public key encrypts the data and makes it unreadable

The private key has the power to decrypt it. It's the only one here that can read the data.

But who has which key and how do they get it?

Here is where it gets interesting, and trust me, after this, enlightenment will follow.

You or your web browser send a request to the website that you want to access (this website hopefully has a Digital Certificate).

The website's certificate holds a public key.

Your web browser takes this public key from the certificate and decrypts the message.

After sending it over the internet, even if a hacker manages to intercept the message, he/she doesn't have the private key to decrypt the message, so the attacker can't read the information.

All good so far?

Again:

- You take the public key from the certificate to decrypt your message.

- You decrypt

- You send the decrypted message over the network

The web browser's certificate is the only entity that has the private key, no one else has access to the private key.

The private key is generated by the owner of the certificate, which would be the website you're trying to access.

The private key is stored on the website's server, and only the website owner has access to it.

Now, a highly skilled hacker could technically get access to the private key if the server is vulnerable, but that's for another story.

Lastly, the website receives your encrypted data and is the only entity that can encrypt and process the message.

Thats it. I hope that you could follow.

Conclusion

As I mentioned before, Digital Certificates can be used for other domains but I just demonstrated its general purpose.

I hope it was easy enough to understand.

One more time:

1. You decrypt with the public key

2. The public key comes from the website's digital certificate

3. The data is sent over the network

4. The website you sent the data to, has the private key (the one and only) to encrypt and read the message

5. Your request will be processed

Et voilà.

Sign up for more content.

Enter your email
Subscribe