Who do you trust? And how safe is truly safe? In a playful sense.

Blog  — Tue 7 Oct 2025

Internet security is improving a little every day. Yet a large part of that security today seems to rely on something called TLS. It used to be called SSL. It was the green padlock. Now sometimes it is not green anymore. But it is still a padlock in your browser's address bar. But what does it actually represent?

The padlock in the browser means that data from the website you visit is locked until it reaches your computer. Only then is it unlocked. The same applies in reverse: everything you enter and send to the website is locked and can only be accessed by the website.

Technically, I will not go into much detail here. In this article, I mainly want to focus on non-technical observations regarding that padlock, in light of today's context.

What you need to know if you are not very technical, is that a padlock only works because someone has said it can be trusted. But who is that? And why do they say it?

Every padlock in the address bar is linked to a security certificate. Browsers normally give major warnings if just anyone creates a certificate, no matter how technically secure that certificate is. It is about a chain of trust. A certificate is only trusted by all devices if it has been issued by a so-called CA, a Certificate Authority. Without that step, your device says: I see a padlock (TLS), but I don't know the CA. So this is risky. Do not proceed, be careful! But is that really justified?

The illusion of trust in public TLS certificates

TLS is important, necessary and excellent. HTTPS and X.509 certificates as well. At its core, the cryptography of a certificate is independent of the issuer, as long as the key is properly managed. Yet most websites worldwide rely on a limited number of public certificate authorities, or CAs, for their trust. This is a crucial nuance that is rarely explicitly discussed. Even stranger is that many of these parties are North American companies, such as Apple, Microsoft, Mozilla and Google.

Technical equivalence of certificates

An X.509 certificate is essentially a digital signature linked to a public key. Whether this certificate is issued by Let’s Encrypt, DigiCert, or by yourself, does not change the cryptographic strength of the key. A 4096-bit RSA key you generate yourself is technically stronger than a 2048-bit key from a public CA, although browsers do not automatically recognize this. The difference lies in the position of trust within the chain.

What does trust mean?

In the context of HTTPS, trust is about who manages the root certificates accepted by browsers and operating systems. When a browser checks a certificate from your server, it verifies whether the certificate is signed by a root in the trust store. Without that trust, the browser gives warnings, regardless of how strong your key is. This is a social-technical construct, not a purely cryptographic matter.

The concentration of power

Most root certificates in browsers are issued by a handful of American companies or non-profit organizations that rely on US infrastructure and sponsors. Companies such as Microsoft, Apple, Mozilla and Google have decisive influence over which CAs are included in trust stores. In a world where geopolitical interests are shifting, this means a significant part of internet trust is concentrated in organizations that could potentially receive other instructions due to political pressure or legislation.

The implications of centralised trust

The fact that such a small number of parties controls the key positions in browser trust stores creates a single point of failure, not in the cryptography itself, but in the social contract of trust. A mistake, hack, or political decision at one of these entities can immediately compromise thousands or millions of certificates. It is a vulnerability often ignored because the system is taken for granted.

Alternatives and their trade-offs

You can issue certificates yourself that are technically strong, as long as you manage the private key securely. With tools like self-signed certificates or a private PKI, you can maintain full control. The problem is that public users must explicitly accept your root, which limits the usability of your website. Public CAs provide worldwide, ready-made trust, but introduce a third party into the chain that you do not need to trust technically, but must trust for universal compatibility.

The role of Let’s Encrypt

Let’s Encrypt is managed by a non-profit organization, the Internet Security Research Group (ISRG), and independent of the previously mentioned large commercial companies. They are based in California, United States, and have major companies as sponsors. Their CA provides free certificates and an ACME protocol for automatic issuance. Technically, everything is generated locally, private keys never leave your server, and the cryptography is standard TLS 1.3 with AES-GCM or ChaCha20. Yet it remains an extra link in the chain of trust, which can be indirectly influenced by their sponsor structure or political factors. This does not pose a practical attack vector today, but geopolitics could change that in the future.

TLS and cryptographic assurance

TLS 1.3 eliminates many earlier weaknesses, such as padding and renegotiation attacks, and uses only forward secrecy. Microarchitectural side-channel attacks are theoretically possible, but practically rarely feasible. It therefore makes little difference whether a certificate is self-issued or provided by Let’s Encrypt, as long as the key and TLS implementation are correct. The difference remains social, not technical.

Conclusion: trust as a geopolitical factor

The technical aspect of TLS and X.509 certificates is robust, and a private key you generate yourself can be stronger than many public certificates. The central issue lies in the chain of trust, which is mainly controlled by a handful of entities in the United States. For those who value control and transparency, this is a critical consideration. In a world where geopolitical interests increasingly influence technology, it is wise to understand who governs trust, and not blindly accept that the public PKI ecosystem is neutral. Ultimately, the question is whether convenience for end-users is worth the risk of relying on a few commercial or non-profit organizations that manage public trust.