Really awesome informative video. No bulshiting around, direct to the point information. Too good. I would request you to make a video on mutual authentication.
My workstation is in a private network and does not have any Internet access. I then allow this workstation to access one https site (only one https site). Will it work, because my workstation can’t access URL given in the AIA (Authority Information Access) of digital certificate?
Thanks for the informative video, John. Though I am just wondering, what is benefit of generating the hash and then running the signature algorithm with that hash, rather than the entire contents of the certificate? Thanks
Hi Luke...great question! The reason for signing the hash is because of the resources it would take to sign the full contents of the certificate. It's much faster to hash it and then sign the hash. So, it speeds things up significantly to do it this way. You know how users are...they want stuff fast! No one wants to sit there and watch their favorite web page spin for a few minutes while the security mechanisms are at work in the background. Thanks again for the great question!!
AIA is also https hosted, so it will have its own Digital Certificate which will contain another AIA, and that will contain another Certificate. So when this chain will stop ?
Great question! Yes, the CA will typically sign the certificate using their private key so that the users will know that the cert is from the legitimate CA that it claims to be from.
Hi Adarsh, great question! Typically, a client (browser) will check the server's certificate for expiration date, signature from valid CA, and valid cert chain before it will connect to the web server. If any of these things are not an expected value, then it will show a warning page to the user (cert invalid, cert expired, etc) and make the user accept the security risk before proceeding to the site.
@@devcentral thanks.. My question was more with respectto Mutual auth. In mutual auth what parameters are generally checked to perform a succesful authentication connection
How does the client know that the AIA is legitimate? It's the first thing I'd to when luring people onto my website--send them to one of my other websites for verification! Similar for the CRL.
Thanks for the great question/observation! The legitimacy of the AIA (and the other pieces of the certificate) really relies on the authenticity of the contents of the certificate being genuine. And this relies on the authenticity of the Certificate Authority creating a valid certificate that has all the correct (accurate) information in it. This is why it's important that the Certificate Authority (CA) sign the certificate and prove that all of its contents are genuine and correct. And, it's also important that the client (browser) interacts with certificates properly. So, in your example, if an attacker wanted to modify the URL of the certificate revocation location, then the attacker would need to figure out a way to modify that portion of the certificate without changing the hash value of the certificate from the CA. And, this relies on the strength of the hashing algorithm used to create the hash and sign the certificate. It's all a series of trust in processes/algorithms that we collectively believe to be reliable and trustworthy. Thanks again...and great observations!
does the certificate include the domain or even IP address of the server? if not how does the client verify identity if the certificate does not state it?
Great question! Yes, the certificate includes the domain name (or sometimes multiple domain names) of the server, so the client can match the identity.
@@devcentral Yes, the domain information was missed on the whiteboard, and it was an important piece, imo. Also, it is not clear about the hash signature. What is used to create the hash and how exactly the hash is used? Is the hash signed? If the browser is verifying the certificate, would they need to generate the hash from the body of the certificate, use the public key to encrypt it and then compare it against the signed hash value in the certificate? Or is the hash use in any other way? Also, what is a certificate thumbprint?
just click on the lock symbol which on the left side of the search bar. Then click on certificate, go to details..there you will see all the details of the certificate practically for this youtube page.
My workstation is in a private network and does not have any Internet access. I then allow this workstation to access one https site (only one https site). Will it work, because my workstation can’t access URL given in the AIA (Access Information Access) of digital certificate?
7 years later and still slaps
GREAT video explaining digital certificates, thanks!!!
we are glad you found it helpful!
Great video. Thanks for valuable information.
glad you enjoyed it!
Love your lessons.Thanks!
glad you enjoy them!
Really awesome informative video. No bulshiting around, direct to the point information. Too good. I would request you to make a video on mutual authentication.
glad you enjoyed it!
@@devcentral yes, mutual authentication
@John perfact explanations in all tutorials!!! Learning from u thanks
glad you enjoy them!
Love your lessons.
glad you are finding them helpful!
Very helpful for interview preparation.
I'm glad it was helpful...and I hope you did well in the interview!
Thanks for valuable information.
glad you enjoyed it!
it really helps me to understand better thanks!
glad you enjoyed it!
great video!!
glad you enjoyed it!
My workstation is in a private network and does not have any Internet access. I then allow this workstation to access one https site (only one https site). Will it work, because my workstation can’t access URL given in the AIA (Authority Information Access) of digital certificate?
Thanks for the informative video, John. Though I am just wondering, what is benefit of generating the hash and then running the signature algorithm with that hash, rather than the entire contents of the certificate? Thanks
Hi Luke...great question! The reason for signing the hash is because of the resources it would take to sign the full contents of the certificate. It's much faster to hash it and then sign the hash. So, it speeds things up significantly to do it this way. You know how users are...they want stuff fast! No one wants to sit there and watch their favorite web page spin for a few minutes while the security mechanisms are at work in the background. Thanks again for the great question!!
@@devcentral do you have a video on Station to Station protocol?
@@zenchiassassin283 not at this point, but we can look at recording one. thanks!
AIA is also https hosted, so it will have its own Digital Certificate which will contain another AIA, and that will contain another Certificate. So when this chain will stop ?
Yes, time has stopped while waiting for this question to be answered!
Certificate also has the actual signature of CA using CA private key after hashing the entire content you mentioned . Isn’t it ?
Great question! Yes, the CA will typically sign the certificate using their private key so that the users will know that the cert is from the legitimate CA that it claims to be from.
thanks man. Quick question.. When we say certificate authentication, what are the things which are checked before authenticating ?
Hi Adarsh, great question! Typically, a client (browser) will check the server's certificate for expiration date, signature from valid CA, and valid cert chain before it will connect to the web server. If any of these things are not an expected value, then it will show a warning page to the user (cert invalid, cert expired, etc) and make the user accept the security risk before proceeding to the site.
@@devcentral thanks.. My question was more with respectto Mutual auth. In mutual auth what parameters are generally checked to perform a succesful authentication connection
How does the client know that the AIA is legitimate? It's the first thing I'd to when luring people onto my website--send them to one of my other websites for verification! Similar for the CRL.
Thanks for the great question/observation! The legitimacy of the AIA (and the other pieces of the certificate) really relies on the authenticity of the contents of the certificate being genuine. And this relies on the authenticity of the Certificate Authority creating a valid certificate that has all the correct (accurate) information in it. This is why it's important that the Certificate Authority (CA) sign the certificate and prove that all of its contents are genuine and correct. And, it's also important that the client (browser) interacts with certificates properly. So, in your example, if an attacker wanted to modify the URL of the certificate revocation location, then the attacker would need to figure out a way to modify that portion of the certificate without changing the hash value of the certificate from the CA. And, this relies on the strength of the hashing algorithm used to create the hash and sign the certificate. It's all a series of trust in processes/algorithms that we collectively believe to be reliable and trustworthy. Thanks again...and great observations!
does the certificate include the domain or even IP address of the server? if not how does the client verify identity if the certificate does not state it?
Great question! Yes, the certificate includes the domain name (or sometimes multiple domain names) of the server, so the client can match the identity.
@@devcentral Yes, the domain information was missed on the whiteboard, and it was an important piece, imo. Also, it is not clear about the hash signature. What is used to create the hash and how exactly the hash is used? Is the hash signed? If the browser is verifying the certificate, would they need to generate the hash from the body of the certificate, use the public key to encrypt it and then compare it against the signed hash value in the certificate? Or is the hash use in any other way? Also, what is a certificate thumbprint?
Is this video mute?
Just checked it out and sound is working fine.
full theory....it would be better if you show some practical ...the protocol in real life action!
just click on the lock symbol which on the left side of the search bar. Then click on certificate, go to details..there you will see all the details of the certificate practically for this youtube page.
How the hell u are writing...man
are u writing backwards on mirror
Uncensored x they have done a video on it. Check dev central
Dude's a wizard!
My workstation is in a private network and does not have any Internet access. I then allow this workstation to access one https site (only one https site). Will it work, because my workstation can’t access URL given in the AIA (Access Information Access) of digital certificate?