https://blog.param.sh/tags/domain-verification/Recent content in Domain Verification on DevLogsHugoenSat, 25 Apr 2026 18:23:33 +0530https://blog.param.sh/posts/chain-of-trust-signing-tls/Sat, 25 Apr 2026 18:23:33 +0530https://blog.param.sh/posts/chain-of-trust-signing-tls/<h1 id="the-trust-problem"> The Trust Problem <a class="heading-link" href="#the-trust-problem"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <blockquote> <p>If you haven&rsquo;t been following along, this is part of the series <a href="https://blog.param.sh/series/encryption-in-transit" >Encryption in Transit</a>.</p> </blockquote> <p>So far, everything sounds nice in theory. You and a server has a public key, you use it to create a pre-computed symmetric key and talk securely, done.</p> <h3 id="but-how-do-you-even-know-that-public-key-belongs-to-the-server-you-think-it-does"> But, how do you even know that public key belongs to the server you think it does? <a class="heading-link" href="#but-how-do-you-even-know-that-public-key-belongs-to-the-server-you-think-it-does"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <p>Like, imagine you’re trying to connect to your bank. You ask for its public key, and you get a response containing the public key. Cool. But how do you know it&rsquo;s really the bank you&rsquo;re talking to? What if there is an actual attacker sitting and intercepting every request you make to your bank? Which means if you go to <code>bank.com</code> it is actually an attacker trying to portray itself as <code>bank.com</code> and never letting your request reach to the ACTUAL <code>bank.com</code>. In this case, they can just hand you their public key, you happily encrypt everything with it, and now they’re reading all your traffic while pretending to be the bank.</p>