At 7:53 I incorrectly said that the server sends the public key and private key obviously that is not correct it was just a slip. It only sends the public key and the information. The private key is only known to the server. I explain this fully here What are SSL/TLS Certificates? Why do we Need them? and How do they Work? th-cam.com/video/r1nJT63BFQ0/w-d-xo.html
I was just about to a ask you the same. Thanks for pinning the same. Like your stuff found you yesterday and been watching your stuff. Subbed and thanks for your hard work.
haha..opps... You'd be owned right there. Funny guy.. Never saw someone who explains certificates in a humorous way before (there's a first for everything)
let me go ahead and say that without fancy animations or graphics, just your hand-shaking-thing you were able to very well convey the explanation. thanks!
Man, Man, Man!!! You described the problem first. Then, you described the solution. Giving us enough context to understand why the tool exists. Instead of just jumping into the usual cliche way of "explaining" rhese kinds of stuff by watereing in down and basically explaining nothing. No fancy animations, no useless "fun" "non technical" explainations. Just raw fact. Thanks a lot for your empathy.❤❤❤
Ok 2 things that are very wrong: 1- the server that needs a certificate never sends the private key to the certificate authority. 2- to verify a certificate you don't encrypt and compare. You actually decrypt the signature of the certificate authority using the CA's public key so you get the hash and then you hash the certificate and compare the two, the one you calculated by hashing the contents of the certificate and the one you got from decrypting the signature. If these values match then it's verified. And I am omitting here the chain of authority like you did in the video. Hence I am considering the certificate authority is the root CA.
Your way of explaining "why?" is a unique approach these days compared with others who are wasting our time on how to do things without actually understanding them. But still, there is an opportunity for improvement; I wish you had drew the process instead of distracting our attention by imagining the situation and following your hands. In my opinion, that would be much better. Anyway, your effort is much appreciated. Thanks.
New to the channel, 20 seconds in. I'm already so intrigued by your energy. The explanation is top-notch too, no jargons, no beat around the bush, just straight-up simple straightforward explanation
Completely hooked to your channel. Every topic that you bring out a video on is something that I was always curious but did not get time to read about it. Also, very well explained. Thanks a lot!
Good stuff here. I love the 'why' approach to teaching with the real life example. To solidify the knowledge you add the memorable story about Kazakhstan. Thanks for this
Hello Hussein, you said the CA encrypts the server's information as well as its public key with the CA's private key to issue it a certificate and the client even though trusts the CA verifies the server's certificate by using the public key of the CA to encrypt the information in the server's certificate and then compares it with the part the CA encrypted. How would they match when the CA uses it's private key for encryption and the client uses the CA's public key for encrypting the content of the server's certificate
Excellent! Thank you! One question: What stops the man-in-the-middle from taking the certificate he recieves from google and passing it on to the client?
Hi, thanku for giving me heart. I have a question 🙋.. Can u plz tell me the public and private keys are generated when and where its stored. And how they are generated.. Plz.. Its been months since nobody has answered my question
Thanks for this video. Im learning about this in school right now and was having a hard time understanding it but you cleary explained the process. These textbooks go a little off track on some of these things lol!
Perhaps the companies could store their public Keys in some kind of blockchain, that way we wouldn't relay in Root authorities, of course that will have some cons aswell
Thanks Hussein for all of this. Helps a lot! Can you (or anyone reading this) expand on why the man-in-the-middle can't just forward the certificate provided by Google to impersonate Google for example. That's the only piece im missing!
Hussein, thank you for your videos I've been watching a few of them last few days and noticed today in your background you have a bunch of programming books. How useful would you say it is reading books to truly understand a concept vs just either just getting dug in the problem or watching videos etc.? E.g. lets say there is a concept I really need to understand in Azure and how to setup certificates, key rotation and be able to setup some form of automation testing. Now I have such limited knowledge on everything that entails.. when do you think is a good idea to just slow down and pick a book up rather than attack the problem head on always? This might be a video idea for you!
Thank you very much about this video, it explained a lot as other explanation didn't give technical explanation about how this works and also specially that you giving example which made it much easier to understand. at 9:25 does we use public key to encrypt or decrypt?
Hi Hussein. Thanks for the video. I'm not sure I completely understand the certificate verification part. I understood it as if I need to validate the certificate that is encryped with googles public key and the CA private key. How does that vertification happen? How do I end up with a certificate that is equivalent to that of the one signed by googles public key and the CA private key when I don't have the CA private key?
I could be mistaken but it may be wise to apply Preventative maintenance efforts when it comes to the CMOS battery. Again I could be misunderstanding but if the CMOS battery fails or the NTP server, this may require manual peer list to align with the domain controllers. Are these concerns? Maybe a good discussion you can shine light on? I’m guessing locking out all end user accounts will allow to re-sync. Is this paranoia? Or do I have the right idea?
Hey Hussein, Thanks for your great content, I have a question here, might be a bit basic. We don't get the unencrypted data from the server right, how does the client generate the encrypted data with the public key of the certificate authority?
Great informative video Hussein; I got a doubt about how servers generate public and private keys which are already not registered with CA? suppose "server A" generated a key pair and sent it to the CA(only public key, as your pinned comment says) then "server B" generated the same key pair and send it to the CA, how CA will handle this ambiguity? I don't know what I am saying is even correct...
So the private/public keys are only established by the CA. They use their private key to provide you with a signed certificate based on your company inputs. When a client downloads the certificate from some server trying to establish an SSL, the client immediately starts off by validating the signed certificate by using the public key of the associated CA. This is almost (if not completely), identical process of how JWTs work
Great video. I have one question, why can't google themselves provide a certificate? For example, if they encrypt a file with their private key and send it back to you and then you use their public key to decrypt the file. Since you're using their public key to decrypt the file, that means that only the person who had the private key could have encrypted that message. I understand this might be difficult to implement because instead of keeping track of a few CA public keys you would need to locate the public key of each endpoint you were communicating with.
As you said" you would need to locate the public key of each endpoint you were communicating with", this is what we do with existing flow. Google does share its public key with us with each request, but to prove that the public key truly belongs to Google, we check it with Certificate Authority.
@@kushalkarmani3076 And how can we be certain that the public key is of the CA? Just how an attacker might act as google, can they not act as a CA and claim that Googles certificate is legit? If the CA is acting just as a database, can't google have their own repository showcasing their legit public/private key?
@@kushalkarmani3076 I re-watched the video and caught the explanation. For anyone else who was thinking this; basically he said that the CA certificates are at the app/OS level and trusted by the system itself. As such, from what I interpreted the certificate from the CA is not established via a handshake but already on the device. Please correct me if I am mistaken.
2:10 No, TLS uses two different Asymmetric keys; public key to encrypt and private key to decrypt 7:45 What! hell no. Private key must never be shared, otherwise you broke the main concept of the SSL/TLS.
For your first point, I am afraid you're not entirely correct because TLS actually uses both asymmetric and symmetric encryption during a TSL Handshake. The second point, yes you're correct, but it is probably just a slip of the tongue.
דוד לוי thanks! I actually explained it in What are SSL/TLS Certificates? Why do we Need them? and How do they Work? th-cam.com/video/r1nJT63BFQ0/w-d-xo.html. this video in details
I have a question here, not sure if that sounds silly. What if someone breaks in middle while we are connecting certificate authority for verification?
Very helpful..thanks for doing these.. do you have book recommendations for various topics like - security, networking, distributed systems, microservices etc. basically for everything related to backend.
So even with an Asymmetric key using both public and private on both ends can the information still be intercepted as explained or was this lesson in reference to symmetric single key encryption?
Thanks for explaining this topic. In many videos you have talked about Relational DB can be scaled for reads , Can you make a video to explain this by example and also how MySQL global transaction actually work by an example , thanks for your awesome work.
I tried to connect a TOP OPC UA Server with UA Expert Client. I do the certificates by using OpenSSL. I didn`t use an intermediate certificate, just the root, which signs the server cert and the server signs the client cert. The connection is being recognized, because a pop up window appears stating that the connection was recognized. But once I click on the connect button in UA Expert an error occurs saying: Error: UaSessionPrivate::activateSession - can't find X509IdentityToken in endpoint description. Thank you for your feedback if possible.
At 9:19 you incorrectly said "Encrypt the content" while it's a Decryption process from your end (from the client's end/the message receiver), and Re-Hashing afterword's for comparing purposes... so you can ensure the integrity and authenticity of the digital certificate or the message you have received from Google in your example. @Hussein Nasser
Can u also talk about the chain of trust. Cert pinning and public key pinning? Also what if Hacker just gives the real cert of Google to you.? You will see that cert is valid right? It looks like that the connection gets established but the client encrypts the data with public key of real Google and hence the Hacker can't actually see anything there? Is this true that the connection gets established ?
Friendly Developer Thanks , good concepts . I talked about some of them here Global ROOT Certificate Expiration Causes Stripe and Roku to stop working on 5/31/2020 (Explained) th-cam.com/video/haLxy1e_Hwo/w-d-xo.html If the hacker forwards the cert of google to you than they can’t really see anything because the keys are established between google and the client. Check out my TLS video
Nice work, I am researching how I could have intranet web service using https. It seems you can’t have this kind of certificates for in-house servers. But I don’t want to have the traffic as plain text. How this could be done... Should I make my CA and add a certificate to each and every device, or there is something better? Thanks
Google Cert will be signed by trusted CA which is signed by a trusted ROOT cert installed on our machines. Hackers won’t be able to get a fake google cert signed by a trusted CA (though It did happened before to a CA called diginotar, they got banned out)
My new android comes with root CA from China, Hong Kong, Taiwan, Japan, and a few other countries. Wouldn't I want to shut those off? Why would my device need to trust their site?
Exchange migration could be one useful when here.. however the very real issue (most overlook) is in order to keep 'that trust' the new server must be the same...During a live migration, this is technically impossible, as two servers cannot have same name on network, and allot of things break if you try and change name on new one to old name afterwards... So MS, and probably few others, just say "its not advised" and its more convent to just "get new one" Well.. ya, if you wanna go down THAT path, but sometimes you just wanna keep the name.. Everyone goes silent.. And besides,,, it will save the cost of a cert by moving one over.. These days,, i think no one wants people to migrate certs is not because it cannot be done, but because everyone wants $$$$$
Hello All, Kindly verify my understanding. It has been challenging to understood this concept for some time. Now i have put all the points together. Kindly clarify my understanding on this (A) ACME corporation generates private and public keys using OpenSSL tool (B) ACME corporation generates CSR by using public key and other information like Company Address , Company details etc. Sends CSR to CA (C) CA verifies CSR and creates signed CERTificate (CERT) by signing with CA's private Key (D) ACME corporation stores signed CERT 1. Client connects ACME corporation server with https protocol 2. ACME corporation sends the signed CERT to the client 3. Since the Client will have CA's public key of CERT, it should be able to open the certificate and validate if it is indeed issued for ACME corporation. (Note : All the Browser's will have public keys of CAs) 4. Client gets the public key which is inside the cert. 5. Client will create session key and encrypt with public key and sends the encrypted session key to ACME corporation server 6. ACME corporation server sends OK signal 7. After this point, secure communication happens from Client to ACME corporation server. Which means client will encrypt the message with session key, then ACME corporation server decrypts the message with private key (which was created in step A) (ACME corporation is the only entity holds private key, no one in the world will have it) 8. When message is send to Client, only client can decrypt the message because it is sole owner of session key(no one in the world will have the session key) . Can you anyone validate 8th point. I am guessing session key at the client's side key can be used to decrypt the message sent by server If man in the middle sniffs the data packet, then he can't do anything because it is encrypted with session key. And session key is encrypted with public key. Unless he steals the session key in step 5 he can't decrypt the message. However for this to happen, he should also get public key, but even with the public key he can't decrypt the message
@hnasr, can you help me pls? I am opening exe file with 7zip and have .tls (empty file in Windows CRLF encoding) and CERTIFICATE ( file in Macintosh CR encoding, where all symbols messed, except strings indicating urls to .crl and CA names) Can you reproduct the same on your exe and explain what this .tls stands for? And how to decode CERTIFICATE?
Love your videos! Just a request, could you make videos on caching with redis? Particularly feed caching like twitter, instagram. Push and pull model. Thanks
Shree Ranga Raju thanks Shree! Nice idea I did discuss Redis here th-cam.com/video/sVCZo5B8ghE/w-d-xo.html but I am yet to make a dedicated video on caching strategies🙏 I discussed push and poll here th-cam.com/video/8D1NAezC-Dk/w-d-xo.html
@@hnasr Thanks Hussein. I did check them out. They're great! But with a real example would be even better I guess. Just a thought. Yeah, like you said with caching strategie :)
They can but it will be pointless as they can’t change anything in the encrypted messages. the moment they try to change anything in the message or intercept traffic they have to prove they own the private key of google which they don’t and as a result the client will reject the message
I have a doubt wrt to CA and their digital signature. So website owner gives some Information to CA, CA encrypts that with its private key. Now the websites will send the browser the same information along with the content which CA encrypted. Now you said the browser will encrypt the information with CA public key and compare it with the CA encrypted content and trust if both are same right? My doubt is does asymmetric key work like this? Public key - PU Private key - PR Content - C So, C encrypted with PU == C encrypted with PR ??
Good question! So private key encrypts and public key decrypts (it can also do the reverse too) The trick we do to verify the signature by decrypting the signature with the CA public key and comparing it to the content. If it matches we know its good because only the CA could have made that signature with the corresponding private key
If that was ever discovered (which I am not sure how yet) the CA will be untrusted immediately. OCSP will kick in. If trusted CA provided its private key to a government and that government started issuing certificates on behalf of the CA the government still need to intercept the traffic somehow by implementing a L7 Proxy which users need to specify to access the internet
At 7:53 I incorrectly said that the server sends the public key and private key obviously that is not correct it was just a slip. It only sends the public key and the information. The private key is only known to the server. I explain this fully here
What are SSL/TLS Certificates? Why do we Need them? and How do they Work?
th-cam.com/video/r1nJT63BFQ0/w-d-xo.html
Is the only reason to buy a certificate that you're accessing data over a wan and say you don't have reservations about it inside the network?
I was just about to a ask you the same. Thanks for pinning the same. Like your stuff found you yesterday and been watching your stuff. Subbed and thanks for your hard work.
haha..opps... You'd be owned right there. Funny guy.. Never saw someone who explains certificates in a humorous way before (there's a first for everything)
You should have just made a new video without the slip of a tounge
let me go ahead and say that without fancy animations or graphics, just your hand-shaking-thing you were able to very well convey the explanation. thanks!
Donato Azevedo thanks Donato! 🙏
This video was literally so helpful. We really need more people who teach like you in computer science.
"We don't ask what it is... we ask WHY does it exist?" Great approach, excellent content. Thanks for sharing!
Exactly!
My thoughts exactly! I believe that knowing what issue arose helps to gain understanding.
Man, Man, Man!!!
You described the problem first. Then, you described the solution. Giving us enough context to understand why the tool exists. Instead of just jumping into the usual cliche way of "explaining" rhese kinds of stuff by watereing in down and basically explaining nothing. No fancy animations, no useless "fun" "non technical" explainations. Just raw fact. Thanks a lot for your empathy.❤❤❤
Ok 2 things that are very wrong:
1- the server that needs a certificate never sends the private key to the certificate authority.
2- to verify a certificate you don't encrypt and compare. You actually decrypt the signature of the certificate authority using the CA's public key so you get the hash and then you hash the certificate and compare the two, the one you calculated by hashing the contents of the certificate and the one you got from decrypting the signature. If these values match then it's verified.
And I am omitting here the chain of authority like you did in the video. Hence I am considering the certificate authority is the root CA.
Thanks buddy,
He made a video and clarified that it's a slip
suggest the video for them so they know in detail
Thanks
Did not lose my attention for 1 sec..it was quite deeply informative and engaging
Your way of explaining "why?" is a unique approach these days compared with others who are wasting our time on how to do things without actually understanding them. But still, there is an opportunity for improvement; I wish you had drew the process instead of distracting our attention by imagining the situation and following your hands. In my opinion, that would be much better. Anyway, your effort is much appreciated. Thanks.
New to the channel, 20 seconds in. I'm already so intrigued by your energy. The explanation is top-notch too, no jargons, no beat around the bush, just straight-up simple straightforward explanation
one minute in and I'm already liking your charisma
I liked the video as soon as you said the "we don't ask what it is, we ask why it exists"
Brilliant explanation - thank you! Really clear and I appreciate how you make it animated and interesting.
I never saw certificates explained by hand-waving before
Completely hooked to your channel. Every topic that you bring out a video on is something that I was always curious but did not get time to read about it. Also, very well explained. Thanks a lot!
Good stuff here. I love the 'why' approach to teaching with the real life example. To solidify the knowledge you add the memorable story about Kazakhstan. Thanks for this
You Description are so good.. Many video I watch but nobody can't completely explain about this but now clear about this. Thanks.
One good thing from 2020 is that I discovered this channel, full of useful information !
❤️❤️ thank you Pratik! And welcome to the community
Hey, here coz I understand CAs and certificates, at the same time I don't. Nice vid helped me get to 100%
Amazing work, @Hussein. Just hand gestures are more than enough. Very well explained. Keep it up!
😍
Just a single word Excellent explanation 🙏
Thanks a lot 😊
Absolutely awesome ! Very well explained and I loved the Kazakhstan anecdote to illustrate the problem that could happen. Thank you so much !
you're fantastic!! I can't wait for your videow to absolutely blow up, great quality
Just wanted to say thank you for this explanation. I was having a hard time understanding but you have made it very clear!
Super storytelling, amazing!!
perfect , i like your style dude diving into details keep going
Top tier video, literally watched it through and through. Thank you!
Hello Hussein, you said the CA encrypts the server's information as well as its public key with the CA's private key to issue it a certificate and the client even though trusts the CA verifies the server's certificate by using the public key of the CA to encrypt the information in the server's certificate and then compares it with the part the CA encrypted. How would they match when the CA uses it's private key for encryption and the client uses the CA's public key for encrypting the content of the server's certificate
Excellent! Thank you! One question: What stops the man-in-the-middle from taking the certificate he recieves from google and passing it on to the client?
I am blessed to get your videos.. If helped me a lot in my career and my personal journey
Hi, thanku for giving me heart. I have a question 🙋.. Can u plz tell me the public and private keys are generated when and where its stored. And how they are generated.. Plz.. Its been months since nobody has answered my question
Maaaaan, That was crazy simple explaination. Enjoyed it. Thanks a lot.
Simply wow. Tons of knowledge in a single video and the perfect way of explaining them.
New subscriber here, glad I found your channel. Informative and Thorough.
Thank you and welcome to the channel! ❤️ I try to balance thoroughness with simplicity its a struggle .. thank you glad your enjoying the content
Great high level breakdown!
Simple and easy to understand; please keep it up!! 👍👍
You know, that was actually a good explenation. You got a like and a new subscriber.
bro, u r an absolute bless ... u have a nack ,thank u for saving my day
Very helpful topic! Please post more about this subject :)
Thanks for this video. Im learning about this in school right now and was having a hard time understanding it but you cleary explained the process. These textbooks go a little off track on some of these things lol!
Glad it helped! All the best ❤️
you just made things simple.good job!
Your content is amazing!
Love the hand talky talky
Excellent video bro! Thanks! :)
Juan Manuel Lomonaco
Dude youre awesome! Thanks a bunch for this video!
Really helpful video. Excellent and clear explanation. Just subscribed ur channel, continue to create more such videos 👍
Very well explained, thank you Hussein.
very realistic scneraios and didatical
ty a lot
hello from brazil
amazing explanation, thank you ☺️
Great video, thank you for taking the time to make it.
Thank you for the explanation!
Very nice explanation. Easy to understand. Thank you
Amazing video !
Great video I suggest the use of graphics too to make people who are more visual
Perhaps the companies could store their public Keys in some kind of blockchain, that way we wouldn't relay in Root authorities, of course that will have some cons aswell
In my naive understanding of Blockchain, I would think that would make the web really slow?
Beautiful explanation thanks!
Thanks Hussein for all of this. Helps a lot! Can you (or anyone reading this) expand on why the man-in-the-middle can't just forward the certificate provided by Google to impersonate Google for example. That's the only piece im missing!
very well explained
Hussein, thank you for your videos I've been watching a few of them last few days and noticed today in your background you have a bunch of programming books. How useful would you say it is reading books to truly understand a concept vs just either just getting dug in the problem or watching videos etc.?
E.g. lets say there is a concept I really need to understand in Azure and how to setup certificates, key rotation and be able to setup some form of automation testing. Now I have such limited knowledge on everything that entails.. when do you think is a good idea to just slow down and pick a book up rather than attack the problem head on always? This might be a video idea for you!
Man you are awesome
so then vpn can also be called middle man ?
The example of Kazakhstan helped me understand the whole topic 😂
Thanks for the video.
great explanation thank youu
great explanation
Thank you very much about this video, it explained a lot as other explanation didn't give technical explanation about how this works and also specially that you giving example which made it much easier to understand. at 9:25 does we use public key to encrypt or decrypt?
Hi Hussein. Thanks for the video. I'm not sure I completely understand the certificate verification part. I understood it as if I need to validate the certificate that is encryped with googles public key and the CA private key. How does that vertification happen? How do I end up with a certificate that is equivalent to that of the one signed by googles public key and the CA private key when I don't have the CA private key?
best explanation still
Great explanation...
I could be mistaken but it may be wise to apply Preventative maintenance efforts when it comes to the CMOS battery. Again I could be misunderstanding but if the CMOS battery fails or the NTP server, this may require manual peer list to align with the domain controllers. Are these concerns? Maybe a good discussion you can shine light on? I’m guessing locking out all end user accounts will allow to re-sync. Is this paranoia? Or do I have the right idea?
Hey Hussein, Thanks for your great content, I have a question here, might be a bit basic. We don't get the unencrypted data from the server right, how does the client generate the encrypted data with the public key of the certificate authority?
This is done through TLS handshake, (hopefully I understood the question)
th-cam.com/play/PLQnljOFTspQW4yHuqp_Opv853-G_wAiH-.html
great explanation - thank you!
Good topic!
Can we share zscaler root certificate to anyone??
Great informative video Hussein; I got a doubt about how servers generate public and private keys which are already not registered with CA? suppose "server A" generated a key pair and sent it to the CA(only public key, as your pinned comment says) then "server B" generated the same key pair and send it to the CA, how CA will handle this ambiguity? I don't know what I am saying is even correct...
So the private/public keys are only established by the CA. They use their private key to provide you with a signed certificate based on your company inputs. When a client downloads the certificate from some server trying to establish an SSL, the client immediately starts off by validating the signed certificate by using the public key of the associated CA. This is almost (if not completely), identical process of how JWTs work
Great video. I have one question, why can't google themselves provide a certificate? For example, if they encrypt a file with their private key and send it back to you and then you use their public key to decrypt the file. Since you're using their public key to decrypt the file, that means that only the person who had the private key could have encrypted that message.
I understand this might be difficult to implement because instead of keeping track of a few CA public keys you would need to locate the public key of each endpoint you were communicating with.
But how do you know the public-private key pair used to encrypt the file was of Karen or Google?
As you said" you would need to locate the public key of each endpoint you were communicating with", this is what we do with existing flow. Google does share its public key with us with each request, but to prove that the public key truly belongs to Google, we check it with Certificate Authority.
@@kushalkarmani3076 And how can we be certain that the public key is of the CA? Just how an attacker might act as google, can they not act as a CA and claim that Googles certificate is legit?
If the CA is acting just as a database, can't google have their own repository showcasing their legit public/private key?
@@kushalkarmani3076 I re-watched the video and caught the explanation. For anyone else who was thinking this; basically he said that the CA certificates are at the app/OS level and trusted by the system itself. As such, from what I interpreted the certificate from the CA is not established via a handshake but already on the device.
Please correct me if I am mistaken.
2:10 No, TLS uses two different Asymmetric keys; public key to encrypt and private key to decrypt
7:45 What! hell no. Private key must never be shared, otherwise you broke the main concept of the SSL/TLS.
For your first point, I am afraid you're not entirely correct because TLS actually uses both asymmetric and symmetric encryption during a TSL Handshake.
The second point, yes you're correct, but it is probably just a slip of the tongue.
Wow 🥳thet was clarify a lot
Thank u very much...pleased u can explain about certificate root?? I don't actually understand it...
דוד לוי thanks! I actually explained it in What are SSL/TLS Certificates? Why do we Need them? and How do they Work?
th-cam.com/video/r1nJT63BFQ0/w-d-xo.html. this video in details
Please make a video on how they are created and also about root certificate aaaaand certification with regards to antivirus and application software
I have a question here, not sure if that sounds silly. What if someone breaks in middle while we are connecting certificate authority for verification?
There is a possibility for that to happen.
Man in the middle of the man attack
How can I learn more about this and other similar topics? Any recommended books?
Very helpful..thanks for doing these.. do you have book recommendations for various topics like - security, networking, distributed systems, microservices etc. basically for everything related to backend.
So even with an Asymmetric key using both public and private on both ends can the information still be intercepted as explained or was this lesson in reference to symmetric single key encryption?
Thanks for explaining this topic. In many videos you have talked about Relational DB can be scaled for reads , Can you make a video to explain this by example and also how MySQL global transaction actually work by an example , thanks for your awesome work.
I tried to connect a TOP OPC UA Server with UA Expert Client. I do the certificates by using OpenSSL. I didn`t use an intermediate certificate, just the root, which signs the server cert and the server signs the client cert. The connection is being recognized, because a pop up window appears stating that the connection was recognized. But once I click on the connect button in UA Expert an error occurs saying:
Error: UaSessionPrivate::activateSession - can't find X509IdentityToken in endpoint description.
Thank you for your feedback if possible.
At 9:19 you incorrectly said "Encrypt the content" while it's a Decryption process from your end (from the client's end/the message receiver), and Re-Hashing afterword's for comparing purposes... so you can ensure the integrity and authenticity of the digital certificate or the message you have received from Google in your example. @Hussein Nasser
Hello
Nice video...can you explain what is an intermidiated certificat?
What if there happens to be a MITM attack between google server and certificate authority and the attacker gets certificate sent by CA to google?
THANKYOU.
Can u also talk about the chain of trust. Cert pinning and public key pinning?
Also what if Hacker just gives the real cert of Google to you.? You will see that cert is valid right?
It looks like that the connection gets established but the client encrypts the data with public key of real Google and hence the Hacker can't actually see anything there? Is this true that the connection gets established ?
Friendly Developer Thanks , good concepts . I talked about some of them here Global ROOT Certificate Expiration Causes Stripe and Roku to stop working on 5/31/2020 (Explained)
th-cam.com/video/haLxy1e_Hwo/w-d-xo.html
If the hacker forwards the cert of google to you than they can’t really see anything because the keys are established between google and the client. Check out my TLS video
Nice work, I am researching how I could have intranet web service using https. It seems you can’t have this kind of certificates for in-house servers. But I don’t want to have the traffic as plain text. How this could be done... Should I make my CA and add a certificate to each and every device, or there is something better? Thanks
How CA verifies that those who claiming to be google are actually guys from google and not random guy claiming to be google?
Google Cert will be signed by trusted CA which is signed by a trusted ROOT cert installed on our machines. Hackers won’t be able to get a fake google cert signed by a trusted CA (though It did happened before to a CA called diginotar, they got banned out)
big thanks
I love you thank you
My new android comes with root CA from China, Hong Kong, Taiwan, Japan, and a few other countries. Wouldn't I want to shut those off? Why would my device need to trust their site?
Exchange migration could be one useful when here.. however the very real issue (most overlook) is in order to keep 'that trust' the new server must be the same...During a live migration, this is technically impossible, as two servers cannot have same name on network, and allot of things break if you try and change name on new one to old name afterwards...
So MS, and probably few others, just say "its not advised" and its more convent to just "get new one"
Well.. ya, if you wanna go down THAT path, but sometimes you just wanna keep the name.. Everyone goes silent.. And besides,,, it will save the cost of a cert by moving one over.. These days,, i think no one wants people to migrate certs is not because it cannot be done, but because everyone wants $$$$$
Hello All, Kindly verify my understanding. It has been challenging to understood this concept for some time. Now i have put all the points together. Kindly clarify my understanding on this
(A) ACME corporation generates private and public keys using OpenSSL tool
(B) ACME corporation generates CSR by using public key and other information like Company Address , Company details etc. Sends CSR to CA
(C) CA verifies CSR and creates signed CERTificate (CERT) by signing with CA's private Key
(D) ACME corporation stores signed CERT
1. Client connects ACME corporation server with https protocol
2. ACME corporation sends the signed CERT to the client
3. Since the Client will have CA's public key of CERT, it should be able to open the certificate and validate if it is indeed issued for ACME corporation. (Note : All the Browser's will have public keys of CAs)
4. Client gets the public key which is inside the cert.
5. Client will create session key and encrypt with public key and sends the encrypted session key to ACME corporation server
6. ACME corporation server sends OK signal
7. After this point, secure communication happens from Client to ACME corporation server. Which means client will encrypt the message with session key, then ACME corporation server decrypts the message with private key (which was created in step A) (ACME corporation is the only entity holds private key, no one in the world will have it)
8. When message is send to Client, only client can decrypt the message because it is sole owner of session key(no one in the world will have the session key) .
Can you anyone validate 8th point. I am guessing session key at the client's side key can be used to decrypt the message sent by server
If man in the middle sniffs the data packet, then he can't do anything because it is encrypted with session key. And session key is encrypted with public key. Unless he steals the session key in step 5 he can't decrypt the message. However for this to happen, he should also get public key, but even with the public key he can't decrypt the message
@hnasr, can you help me pls? I am opening exe file with 7zip and have .tls (empty file in Windows CRLF encoding) and CERTIFICATE ( file in Macintosh CR encoding, where all symbols messed, except strings indicating urls to .crl and CA names) Can you reproduct the same on your exe and explain what this .tls stands for? And how to decode CERTIFICATE?
Love your videos! Just a request, could you make videos on caching with redis? Particularly feed caching like twitter, instagram. Push and pull model. Thanks
Shree Ranga Raju thanks Shree! Nice idea I did discuss Redis here
th-cam.com/video/sVCZo5B8ghE/w-d-xo.html but I am yet to make a dedicated video on caching strategies🙏
I discussed push and poll here th-cam.com/video/8D1NAezC-Dk/w-d-xo.html
@@hnasr Thanks Hussein. I did check them out. They're great! But with a real example would be even better I guess. Just a thought. Yeah, like you said with caching strategie :)
If I on my browser can get google signed certificate, can't man-in-the-middle get it too and forward it back to the client?
They can but it will be pointless as they can’t change anything in the encrypted messages.
the moment they try to change anything in the message or intercept traffic they have to prove they own the private key of google which they don’t and as a result the client will reject the message
I have a doubt wrt to CA and their digital signature. So website owner gives some Information to CA, CA encrypts that with its private key. Now the websites will send the browser the same information along with the content which CA encrypted. Now you said the browser will encrypt the information with CA public key and compare it with the CA encrypted content and trust if both are same right?
My doubt is does asymmetric key work like this?
Public key - PU
Private key - PR
Content - C
So, C encrypted with PU == C encrypted with PR ??
Good question!
So private key encrypts and public key decrypts (it can also do the reverse too)
The trick we do to verify the signature by decrypting the signature with the CA public key and comparing it to the content. If it matches we know its good because only the CA could have made that signature with the corresponding private key
@@hnasr awesome. cleared now. And I gave you a request in LinkedIn. Hope you'll accept :)
What is the difference between Offline Root CA & Subordinate CA ?
Major fear about cert auth is how easy will it be for govts to ask for keys of entities that are of interest to govt? Is that possible?
If that was ever discovered (which I am not sure how yet) the CA will be untrusted immediately. OCSP will kick in.
If trusted CA provided its private key to a government and that government started issuing certificates on behalf of the CA the government still need to intercept the traffic somehow by implementing a L7 Proxy which users need to specify to access the internet