Editing Transport Layer Security (section)

==Digital certificates==
{{Main|Public key certificate}}
[[File:Let's Encrypt certificate example on Firefox 133 screenshot.webp|thumb|Example of a website with digital certificate]]
A digital certificate certifies the ownership of a public key by the named subject of the certificate, and indicates certain expected usages of that key. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. Keystores and trust stores can be in various formats, such as [[Privacy-Enhanced Mail|.pem]], .crt, [[PKCS 12|.pfx]], and [[Java KeyStore|.jks]].

===Certificate authorities===
{{Main|Certificate authority}}
TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,<ref>{{cite web|url=https://www.rsaconference.com/writable/presentations/file_upload/sec-t02_final.pdf|title=Alternatives to Certification Authorities for a Secure Web|last=Rea|first=Scott|date=2013|publisher=RSA Conference Asia Pacific|access-date=7 September 2016|url-status=live|archive-url=https://web.archive.org/web/20161007222635/https://www.rsaconference.com/writable/presentations/file_upload/sec-t02_final.pdf|archive-date=7 October 2016}}</ref> and can be modified by the relying party.

According to [[Netcraft]], who monitors active TLS certificates, the market-leading certificate authority (CA) has been [[NortonLifeLock|Symantec]] since the beginning of their survey (or [[Verisign|VeriSign]] before the authentication services business unit was purchased by Symantec). As of 2015, Symantec accounted for just under a third of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted by Netcraft.<ref>{{Cite web|url=https://news.netcraft.com/archives/2015/05/13/counting-ssl-certificates.html|archive-url=https://web.archive.org/web/20150516035536/http://news.netcraft.com/archives/2015/05/13/counting-ssl-certificates.html|url-status=dead|title=Counting SSL certificates|archive-date=16 May 2015|access-date=20 February 2022}}</ref> In 2017, Symantec sold its TLS/SSL business to DigiCert.<ref>{{cite news|last1=Raymond|first1=Art|title=Lehi's DigiCert swallows web security competitor in $1 billion deal|url=https://www.deseretnews.com/article/865686081/Lehis-DigiCert-swallows-web-security-competitor-in-1-billion-deal.html|access-date=21 May 2020|work=Deseret News|date=3 August 2017|archive-date=29 September 2018|archive-url=https://web.archive.org/web/20180929171244/https://www.deseretnews.com/article/865686081/Lehis-DigiCert-swallows-web-security-competitor-in-1-billion-deal.html|url-status=dead}}</ref> In an updated report, it was shown that [[IdenTrust]], [[DigiCert]], and [[Sectigo]] are the top 3 certificate authorities in terms of market share since May 2019.<ref>{{cite web|title=Market share trends for SSL certificate authorities|url=https://w3techs.com/technologies/history_overview/ssl_certificate|website=W3Techs|access-date=21 May 2020}}</ref>

As a consequence of choosing [[X.509]] certificates, certificate authorities and a [[public key infrastructure]] are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more convenient than verifying the identities via a [[web of trust]], the [[Global surveillance disclosures (2013–present)|2013 mass surveillance disclosures]] made it more widely known that certificate authorities are a weak point from a security standpoint, allowing [[man-in-the-middle attack]]s (MITM) if the certificate authority cooperates (or is compromised).<ref>{{cite magazine|url=https://www.wired.com/threatlevel/2010/03/packet-forensics|title=Law Enforcement Appliance Subverts SSL|archive-url=https://web.archive.org/web/20140412151324/http://www.wired.com/threatlevel/2010/03/packet-forensics|date=March 24, 2010|archive-date=April 12, 2014|magazine=[[wired (magazine)|wired]].com|author=[[Ryan Singel]]|url-status=live}}</ref><ref>{{cite web|title=New Research Suggests That Governments May Fake SSL Certificates|url=https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl|archive-url=https://web.archive.org/web/20100325223422/http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl|date=March 24, 2010|archive-date=March 25, 2010|author=[[Seth Schoen]]|website=[[Electronic Frontier Foundation|EFF]].org|url-status=live}}</ref>

=== Importance of SSL Certificates ===

* '''Encryption''': SSL certificates encrypt data sent between a web server and a user’s browser, ensuring that sensitive information is protected throughout transmission. This encryption technology stops unauthorized parties from intercepting and interpreting data, so protecting it from possible risks such as hacking or data breaches.
* '''Authentication''': SSL certificates also offer authentication, certifying the integrity of a website and that visitors are connecting to the correct server rather than a malicious impostor. This authentication method helps consumers gain trust by ensuring that they are dealing with a trustworthy and secure website.
* '''Integrity''': Another important role of SSL certificates is to ensure data integrity. SSL uses cryptographic techniques to verify that data communicated between the server and the browser is intact and unmodified during transit. This keeps malevolent actors from interfering with the data, ensuring its integrity and trustworthiness.