Also fwiw once you start going manually you could remove the idea of a centralised authority and use this web of trust model. Non-technically imagine that instead of getting a certificate from a trusted authority you get a certificate you know you can trust because a bunch of other users or other organisations
have signed it saying they say it's the right one. Or you could meet up with the site owner in person and he could give you one you know for sure is correct and then you'd use it and sign it saying 'I'm certain it's his, there are usually different levels of how sure you are you can sign with
. There are pros and cons here. But more practical is to have someone set up a OpenNIC-supporting authority.
Think of it like this a lot of lies and simplification here, someone else jump in if I've said anything outright retarded
>you ask for a site by url
>DNS server gives you back its actual location
>you want to be sure it's definitely the right site
>ask certificate authority for the site's certificate
>check this against the one provided by location the DNS server said was correct there's complicated maths involved here and it's not really like a simple check, but trust me the site can't spoof this part
>now you know both that it's the correct site and also all of your communications from this verification onwards are end-to-end encrypted so anyone who comes along later or was there from the start and sits between the two of you can't read them or intercept them and replace them with faked versions
The second part is key because even if you trust the DNS server you can't always be sure there's not a man in the middle elsewhere in the system. Obviously the question is 'but how do I know the certificate authority is real without getting a certificate from them?' and that's why they get built into browsers.
You can, on paper, chop out the certificate authority entirely if you've got a reliable alternative method of acquiring a known correct version of the certificate. So we could meet up and swap them in real life or whatever or use an alternative secure method to communicate them. SSH uses similar tech and generally doesn't need centralised authorities, for example, and you also can do this with email. This is the same basic technology hotwheels used to us to sign his posts so you knew that he definitely made them. /tech/ may now come and shout at me for saying something incorrect.