I'm studying computer science and I'm trying to wrap my head around SSL certificates, especially self-signed ones. My understanding is that when I send a message on Reddit, it gets encrypted using the public key in the SSL certificate, and then the server, which has the private key, decrypts it. However, I know that SSL does not protect against phishing attacks, since it only encrypts data and doesn't ensure the website's authenticity. So I'm confused about why self-signed SSL certificates are seen as a bad practice. They seem to do the same job as certificates from Let's Encrypt in terms of encryption, but I'm curious about the security implications and how trusted certificates prove a website's legitimacy. How is it that a trusted SSL certificate is more secure than a self-signed one? Also, it seems like anyone can get an SSL from Let's Encrypt, so what prevents someone from getting a fraudulent certificate for phishing purposes?
1 Answer
Self-signed certificates don’t provide any assurance about the identity of the website. So if a hacker were to spoof the DNS for a site, you wouldn't know whether you were really visiting the site or not. Trusted Certificate Authorities (CAs) like Let's Encrypt verify that the owner has control of the domain before issuing a certificate, ensuring you're connecting to the legitimate site. Without this verification, self-signed certs aren't reliable since anyone can create one without proving they're the actual owner of a domain.
But isn't just checking the domain enough to avoid phishing? If I type facebook.com, it should take me there regardless of any cert, right?