Digital Trust: How Your Browser Knows Who to Trust

Incoming transmission

Franklin Green saw the lock icon in his browser and assumed the site was trustworthy. It was a phishing page. It had a valid certificate. The lock means the connection is encrypted — it says nothing about whether the site is legitimate.

Certificates are the foundation of trust on the internet. Every HTTPS connection, every app that connects to an API, every email server that verifies it is who it says — all of it runs on certificates. And most people have no idea what they are, how they work, or why they expire at the worst possible moment.

This manual explains what certificates actually are, how the chain of trust works from your browser to the certificate authority, the different types and what they're actually for, and what happens when things go wrong — expired certs, revoked certs, fraudulent certs, and the rare but catastrophic CA compromise.

Five chapters. You'll never ignore a certificate warning again.

— Commander Shepard