Session 3 — Certificates & Digital Trust

Deepa opens her SBI banking app. In under a second, her phone has verified that it is really talking to SBI’s server, that the server has not been tampered with, and that the connection is encrypted. She taps her balance and sees ₹12,450. She never thinks about any of this. Her phone does it automatically, every single time.

But what if her phone got it wrong? What if an attacker had set up a fake SBI server? How does her phone know the difference?

The answer is certificates and the chain of trust. This session explains how the internet’s trust system works — and what happens when it fails.

What You Will Learn

  • What a digital certificate is and what information it contains
  • What Certificate Authorities (CAs) are and why we trust them
  • How the chain of trust works: Root CA → Intermediate CA → Site certificate
  • How your browser verifies a certificate in milliseconds
  • What digital signatures are and why they are legally binding in India
  • What happens when certificate verification fails (the error pages you’ve seen)

The Big Idea

The internet’s trust system is a chain of vouching. Your browser trusts a small list of top-level authorities (built into your device). Those authorities vouch for intermediate authorities. Those vouch for individual websites. If the chain is intact, you can trust the site. If any link in the chain is broken, your browser warns you — loudly.

Character Focus This Session

Deepa walks through her banking app and starts to wonder: “Who decided that DigiCert is trustworthy? Why does my phone trust them?”

Rohan goes deep on how digital signatures work mathematically and what “non-repudiation” means legally.

Warm-Up Check

Before reading on:

  1. You have probably seen a browser warning saying “Your connection is not private” or “This site’s certificate has expired.” What did you do? Did you go back, or click “Advanced” and continue anyway?
  2. If someone showed you an official-looking document that said they were from your bank, how would you verify it was real?
  3. Who decides which Certificate Authorities your phone trusts?

These questions are exactly what this session answers.