Skip to content
Tech News
← Back to articles

WebPKI and You

2026-03-09 | original
read original get WebPKI and SSL → more articles

There’s been a push over the last twelve years to move web traffic off unencrypted HTTP to encrypted HTTPS, to protect the general public from dragnet surveillance, gaping assholes on public wifi 1 1 Ironically this site has an expired cert, so I’ve linked the non-HTTPS version. There are incredibly not-safe-for-work shock images in some of the links there so you do not want to browse past the first page if “gaping asshole” feels like an odd phrasing and doesn’t evoke a specific image: http://gbppr.net/defcon/evilscheme/index.html , backhauls over unencrypted satellites, that kinda thing. HTTPS relies on a public key infrastructure to make sure only authorized servers have keys for specific websites.

This public key infrastructure isn’t just a bunch of servers and vaults in datacenter cages around the world. It’s a social and political system operated and regulated by several parties with conflicting goals.

Table of Contents

This post represents many months of research and writing in my spare time. It’s fundamentally just one possible interpretation of the technologies, events, and actors in this complex system. Any opinions here are mine alone, and not of my employer or anyone else.

The Basics and What We Expect from WebPKI

The public key infrastructure of the web, commonly referred to as WebPKI, has to work in some difficult scenarios. Someone who’s never touched a trackpad relies on their ability to buy a new computer at the store, put it on the wifi at DEF CON, and connect to their bank’s website to kick off a wire transfer to buy a house with it. 2 2 it was actually the airport on the way to DEF CON and a computer I’ve had for some years, but still felt sketch making a non-reversible transfer of a shitload of money The way this user’s bank, the First Example Bank of Money, proves that they’re the bank is complicated.

When provisioning their server, the bank generates a private key and derives a public key from it The bank sends their public key and some proof that they’re the legitimate operator of bank.example to a Certificate Authority (CA) The CA validates this proof and issues a certificate containing: server addresses this certificate is valid for, bank.example and www.bank.example

and the public key from step 1

how the validation happened

who the CA thinks requested the certificate, “First Example Bank of Money” of “Example Locality” in “Example Country”

... continue reading

Explore topics: webpki defcon https public key wifi
Related:
HomeKit Weekly: Shelly Gen4 Plug brings Wi-Fi 6, Matter, and Thread to a single smart outlet
Shall I implement it? No
Best Mesh Wi-Fi Routers for 2026
Apple Launches MacBook Pros With New M5 Pro, M5 Max Chips
Ask HN: Who is hiring? (March 2026)

© 2026 GoKawiil

About | Editorial Policy | Contact