1
00:00:00,000 --> 00:00:01,980
In this demonstration, we're going to explore

2
00:00:01,980 --> 00:00:04,770
the digital certificates associated with a few websites

3
00:00:04,770 --> 00:00:06,420
and the type of information they contain

4
00:00:06,420 --> 00:00:08,700
in their public key certificates.

5
00:00:08,700 --> 00:00:11,070
On the screen, you see two websites.

6
00:00:11,070 --> 00:00:13,890
I have Google on the left and Apple on the right.

7
00:00:13,890 --> 00:00:15,360
Both of these are being visited

8
00:00:15,360 --> 00:00:19,470
over an HTTPS connection over port 443.

9
00:00:19,470 --> 00:00:23,100
If I click the little lock next to the website name,

10
00:00:23,100 --> 00:00:24,360
you're going to see that it does have

11
00:00:24,360 --> 00:00:26,520
a digital certificate and it's valid.

12
00:00:26,520 --> 00:00:28,020
Now in Chrome, if I click on that,

13
00:00:28,020 --> 00:00:30,630
it will give me the details of that certificate.

14
00:00:30,630 --> 00:00:34,680
Notice that the website certificate is for www.google.com.

15
00:00:34,680 --> 00:00:36,840
That's its public key certificate.

16
00:00:36,840 --> 00:00:40,170
It was issued by the Google Internet Authority G3,

17
00:00:40,170 --> 00:00:41,670
and it was globally signed.

18
00:00:41,670 --> 00:00:43,560
Now, if I look at the details of this,

19
00:00:43,560 --> 00:00:45,540
I can see who the subject is.

20
00:00:45,540 --> 00:00:47,820
Who is the person this was issued to.

21
00:00:47,820 --> 00:00:51,060
This digital certificate was issued to Google LLC

22
00:00:51,060 --> 00:00:52,950
out of Mountain View, California.

23
00:00:52,950 --> 00:00:55,830
It was issued by Google Trust Services,

24
00:00:55,830 --> 00:00:57,600
which is one of the big online

25
00:00:57,600 --> 00:00:59,700
digital certificate providers.

26
00:00:59,700 --> 00:01:01,890
And you can see that it uses SHA-256

27
00:01:01,890 --> 00:01:03,720
to provide integrity of that signature,

28
00:01:03,720 --> 00:01:06,330
and the encryption is using RSA.

29
00:01:06,330 --> 00:01:08,970
Now, as you go further, you can see what it's valid for.

30
00:01:08,970 --> 00:01:10,830
You can see the public key info.

31
00:01:10,830 --> 00:01:14,730
This is being sent as an ECC public key certificate,

32
00:01:14,730 --> 00:01:18,990
and it has a key size of 256 bits.

33
00:01:18,990 --> 00:01:21,510
So, I'm going to stop on that side and go look at Apple now.

34
00:01:21,510 --> 00:01:22,830
So, if I go over here to Apple,

35
00:01:22,830 --> 00:01:25,650
you can see that this certificate was issued to Apple Inc.

36
00:01:25,650 --> 00:01:27,660
out of Cupertino, California.

37
00:01:27,660 --> 00:01:29,340
That's where Apple's headquarters is.

38
00:01:29,340 --> 00:01:31,260
If you scroll down, you'll see who issued it.

39
00:01:31,260 --> 00:01:33,000
It wasn't issued by Apple themself.

40
00:01:33,000 --> 00:01:34,800
It was issued by DigiCert,

41
00:01:34,800 --> 00:01:36,900
another large digital certificate,

42
00:01:36,900 --> 00:01:40,020
high assurance root certificate authority.

43
00:01:40,020 --> 00:01:41,130
Now, you can also see when it was

44
00:01:41,130 --> 00:01:43,140
valid before and valid too.

45
00:01:43,140 --> 00:01:44,700
And as you scroll down a little bit further,

46
00:01:44,700 --> 00:01:47,610
you'll get the information on its public key information.

47
00:01:47,610 --> 00:01:49,500
So, on the left with Google,

48
00:01:49,500 --> 00:01:53,520
we're using ECC, Elliptic Curve Cryptography.

49
00:01:53,520 --> 00:01:56,610
On the right, we're using RSA encryption.

50
00:01:56,610 --> 00:01:59,100
Now, why is there a difference there?

51
00:01:59,100 --> 00:02:01,890
Well, Google has a very minimalist site,

52
00:02:01,890 --> 00:02:05,670
and they also are focused very heavily on mobile browsers.

53
00:02:05,670 --> 00:02:08,880
Mobile devices have less processing power

54
00:02:08,880 --> 00:02:10,229
than a desktop would.

55
00:02:10,229 --> 00:02:11,760
And so, if you're visiting a website

56
00:02:11,760 --> 00:02:13,230
and you're using a mobile browser,

57
00:02:13,230 --> 00:02:16,740
they try to send you an elliptic curve certificate instead,

58
00:02:16,740 --> 00:02:20,790
because with a smaller key size using only 256 bits,

59
00:02:20,790 --> 00:02:23,010
we still get a high level of security.

60
00:02:23,010 --> 00:02:25,800
Now, on the right, Apple's website that I'm looking at,

61
00:02:25,800 --> 00:02:27,990
realizes that I'm on a desktop computer.

62
00:02:27,990 --> 00:02:30,360
And so, it's sending me the desktop version.

63
00:02:30,360 --> 00:02:33,330
Because the desktop computer has more processing,

64
00:02:33,330 --> 00:02:36,300
it can support an RSA encryption certificate.

65
00:02:36,300 --> 00:02:38,310
Now, the RSA encryption certificate

66
00:02:38,310 --> 00:02:42,300
is using a key size of 2048 bits.

67
00:02:42,300 --> 00:02:45,870
Notice this is almost 10 times larger key size

68
00:02:45,870 --> 00:02:47,640
than the ECC certificate,

69
00:02:47,640 --> 00:02:50,790
but they provide equivalent capability

70
00:02:50,790 --> 00:02:53,250
as far as the security that they're going to give you.

71
00:02:53,250 --> 00:02:54,270
So, that's really the difference

72
00:02:54,270 --> 00:02:57,300
between seeing this ECC public key certificate

73
00:02:57,300 --> 00:02:59,790
versus an RSA public key certificate.

74
00:02:59,790 --> 00:03:01,860
They're just a different type of encryption being used.

75
00:03:01,860 --> 00:03:04,230
ECC is favored when you're using mobile

76
00:03:04,230 --> 00:03:05,730
and low power devices.

77
00:03:05,730 --> 00:03:08,460
RSA is favored when you're using desktops.

78
00:03:08,460 --> 00:03:09,600
And so, as you go through,

79
00:03:09,600 --> 00:03:11,940
you can figure out all the different pieces of information

80
00:03:11,940 --> 00:03:13,920
that make this digital certificate up.

81
00:03:13,920 --> 00:03:15,630
Things like its key ID,

82
00:03:15,630 --> 00:03:18,540
things like its authentication and its identification,

83
00:03:18,540 --> 00:03:19,830
and then going all the way down,

84
00:03:19,830 --> 00:03:22,320
you can even get down to its unique fingerprint

85
00:03:22,320 --> 00:03:24,570
that identifies it as that certificate.

86
00:03:24,570 --> 00:03:25,950
And if I do the same thing on Google,

87
00:03:25,950 --> 00:03:27,870
you'll see it's a completely different one,

88
00:03:27,870 --> 00:03:30,020
because they're two different certificates.