Interviewer: Why self-sign is not safe?

LORY
4 min readJun 5, 2024

SSL certificate verification process explained in 3 minutes

The story

Last week my friend messaged me he had an interview (FE, SDE1) and was asked about the https handshake process. I told him to look into my earlier post here.

however, “It’s not enough which didn’t answer the question which I was asked,” he said.

So “what was the question?” I asked.

“So how to generate an SSL certificate?”, he said.

“And did you tell him from CA?” I asked.

“Yes, I said. then he asked me ‘Why not just use self-signed, and get a valid certificate from CA’?, I couldn’t answer this question, so I said ‘The certificate itself can tell the organization information, and the user wants to make sure they are visiting the correct domain’”

“That sounds like a good answer,” I said.

“No then the guy asked this ‘But how does the user know if the organization name they see on the certificate itself is the correct one they are expecting to access, in other words how to validate the certificate returned from the server’” he said.

“And I said that well I am not sure, should be done in the browser itself, if validation failed, will see something like ‘certification error, blabla.. click here to continue to visit’ However he seems not very happy I am not sure if I will pass it”

--

--

LORY

A channel which focusing on developer growth and self improvement