What the hell even is TLS security

TLS stands for Transport Layer Security, essentially it ensures that communications between source and destination are secure (source being a computer, and destination being the website you are talking to, as an example).

When we communicate with a service, we want it to be secure. Secure means the messages go to the right place. Secure means the message is encryped and only readable by the source.

So what is a certificate

A certificate is a specific identity for a service. You can see it like your work id, drivers license or passport. Each one is for an individual and has unique information.

Certificates work by not only identifying the service, but by sharing a public key. This public key is entirely visible, that anyone can view. The real trick with this key is it can only lock. You can’t unlock with this key, or decrypt with it.

The key of a certificate lets other people (you for example) encrypt data only for the service. This way, even if someone else could interrupt the package of data, it would be meaningless to them.

How does the service unlock the data? It has a key which it keeps private. This private key is the only way to unlock data encrypted by the public key.

This is how we can transport information back and forth to services online. The certificate not only acts as an identity, it also acts as the lock.

Certificates can be created by anyone, but if you want to be trusted online you will need to use the certificate authority.

So what is a certificate authority

Certificate authorities are in the business of being trustworthy. They sell trusted certificates.

Imagine you are on holiday. You are somewhere you’ve never been before and you want to buy some food. You aren’t sure where to trust until you see a BigBrandCo store. You have one of their shops locally and its always been great. So to be safe, you step into BigBrandCo and and buy your food.

Why did you trust BigBrandCo in a location you’ve never visited before? Why is it trustworthy just because its a branch of BigBrandCo? Why didnt you trust the other locations?

You trusted the branch of BigBrandCo, because you trust BigBrandCo itself. By creating that branch, they informed you that this specific shop or branch is safe and vetted by them.

Certificate authorities trust by asking website providers for some kind of proof. For example, to get the certificate for mine I had to prove I own the domain for this website. Others, more trustworthy authorties might need to provide much more proof (passport, ID card etc).

Your website certificate gets signed by the authority via an intermediary, which is in turn signed by the authority. This is the chain of trust?

Fine okay, what is the chain of trust?

The chain of trust is mainly there to protect the certificate and the authority. If the certificate owner proves to be untrsutworthy, then the intermediary can be invalidated and thus only lose a few pages signed by the intermediary.

Imagine for a minute that TrustedBigCorp is actually the company you trust, and BigBrandCo is just part of that group. If BigBrandCo gets taken over, or someone starts opening up lots of BigBandCo stores not actually part of the TrustedBigCorp group, trust can be removed from BigBrandCo while not affecting the subsidiaries TrustedBigCorp.

In the same way, certificates intermediaries act to protect both the end user, and the certificate authority allowing them to seperate the two.

As long as we trust the authority, we can work our way up the chain from certificate to authority, via the intermediary.

So why do I trust lots of websites

The short answer is, your computer and browser come pre loaded with lots of very trusted certificate authorities, who have worked hard to be included in this ultimate list.

You can of course, add more certificates, intermediarys or authorities depending on what you want.