Sometimes you will see a journalist say something that's just _technically_ wrong, in an "Um... actually" kind of way. Like saying there are 4 billion "Internet addresses". Yeah it's actually 2^32 and those are IPv4 addresses, and anyway some are in reserved classes we can never use and... We shouldn't care about these cases, it's fun to make a big deal as a _nerd_ but it's not a real problem.
But here they are misleading people as to the general purpose of a CA.
The CA doesn't in fact promise "traffic will not be intercepted" and how could they. The CA promises that their subscriber proved to them that they know a private key to which the corresponding public key is in the certificate, and that they control the things (usually FQDNs) named in the certificate.
Insurance, as another poster points out, is basically worthless. In fact it's worthless in multiple independent ways, it's deliberately engineered to _be_ worthless. For consumer insurance that would be illegal in many countries (taking people's money to "insure" against a risk that won't happen is prohibited in those countries), but they don't sell it to consumers, they sell it to the Certificate Authority and non-individuals are more free to make bad decisions since nobody important will get hurt.
The CA doesn't in fact promise "traffic will not be intercepted" and how could they. The CA promises that their subscriber proved to them that they know a private key to which the corresponding public key is in the certificate, and that they control the things (usually FQDNs) named in the certificate.
Right, but surely you see how 90% of that statement is utterly incomprehensible to a general audience?
As written, sure. But making that statement into a claim that's comprehensible to a general audience is distinct from just claiming something completely unrelated. Notice that in my statement the CA has nothing to do with this traffic and whether or not it's intercepted. Because they don't.
Part of a journalist's job is to find a way to summarise an inevitably complicated story _without_ in the process making it into a completely different story. "Bilbo the wizard stole a magical ring" is not a good summary of The Hobbit, because it is wrong. The wizard isn't named Bilbo and that isn't what that story is about even though maybe it's important for other reasons.
> Websites that want to be designated as secure have to be certified by an outside organization, which will confirm their identity and vouch for their security. The certifying organization also helps secure the connection between an approved website and its users, promising the traffic will not be intercepted.
becomes
Certificate Authorities are organisations that validate a web site's "domain name" and issue certificates for validated names. The site uses a certificate to prove its name to your web browser when you visit an encrypted site.
This seems relatively easy to understand, most importantly it's clear that the certificate is about naming and not some nebulous "security" or identity more broadly. Also valuable it's clear that the CA plays no direct role in actually securing an HTTPS connection (very common for people not to understand that, even fairly technical people) and yet it's vague enough that I don't have to explain about how public key technology works which is a whole can of worms.
Sometimes you will see a journalist say something that's just _technically_ wrong, in an "Um... actually" kind of way. Like saying there are 4 billion "Internet addresses". Yeah it's actually 2^32 and those are IPv4 addresses, and anyway some are in reserved classes we can never use and... We shouldn't care about these cases, it's fun to make a big deal as a _nerd_ but it's not a real problem.
But here they are misleading people as to the general purpose of a CA.
The CA doesn't in fact promise "traffic will not be intercepted" and how could they. The CA promises that their subscriber proved to them that they know a private key to which the corresponding public key is in the certificate, and that they control the things (usually FQDNs) named in the certificate.
Insurance, as another poster points out, is basically worthless. In fact it's worthless in multiple independent ways, it's deliberately engineered to _be_ worthless. For consumer insurance that would be illegal in many countries (taking people's money to "insure" against a risk that won't happen is prohibited in those countries), but they don't sell it to consumers, they sell it to the Certificate Authority and non-individuals are more free to make bad decisions since nobody important will get hurt.