Certificate Authorities and the Fragility of Internet Safety
Most websites use HTTPS to serve their users because HTTPS is more secure than plain-old HTTP. In the HTTP world, people sitting on your wifi could snoop and see your personal data and even change the content of the websites you are seeing. Similarly, adversaries could do the same attack by controlling any of the many routers sitting between you and the website. To prevent this, the browsers (and the web community at large) did a lot of work to advocate for the usage of HTTPS.
For example, in 2018 Chrome announced that HTTP websites would be marked insecure by default. Other browsers did similar things to provide incentives for developers to switch to HTTPS.
It is kinda crazy that we can do this at all. The internet is an untrusted channel (adversaries can listen and manipulate data traveling across) and yet somehow we can build a trusted channel on top of it. How does that work?
We use a bunch of cool math! The only thing the math requires is that the website owners create a special “key” pair and publish one as the “public” key and keep the other secret as a “private” key. Now whenever someone connects to the website, the website returns the public key and the browser uses that (and the bunch of math) to validate/encrypt the data.
