Trusted CA's - how does is work?

Question

can somebody please explain about the trust model in the know CA's ?? here's what i mean:

microsoft.com for example can use Verisign Certificate for their domain - what are the chances for an attacker to ask for a M1crosoft.com domain ?? very simillar, but still can use attackers to run a "secured phishing website" .

what kind of checks does the CA's do before they giving certificates to people ? is there a standard or something ?? do i need to assume and not trust secure websites in reality ??

thank you

Answer 1

Actually you are right I'm afraid, if any CA installed in your browser issues the m1crosoft.com certificates, then there may be some phishing attack.

However since CA is where the trust come from, so there's no way to bypass this. Fortunately there's some audit mechanism when CA issues certificate. Thought I'm not sure what the audit mechanism is.

You can refer to the question in here:

But a CA can make me trust any server they want!

Yes, and that is where the trust comes in. You have to trust the CA not to make certificates as they please. When organisations like Microsoft, Apple and Mozilla trust a CA though, the CA must have audits; another organisation checks on them periodically to make sure everything is still running according to the rules.

Issuing a certificate is done if, and only if, the registrant can prove they own the domain that the certificate is issued for.

I'm not sure is it what you want to know.

Answer 2

Certificate is issued for microsoft.com domain. And if attacker use this certificate on M1crosoft.com, your web browser or other application show warning this certificate is not trustworthy. Some CA verifies who gives certificate. Root certificates of some of these CA is in your web browser.