peeteer

Hi it's me, a 24 year old. The new Reddit design sucks.

A government could create a new certificate for any domain without having ownership of the domain or permission of the owner. This way they can perform Man-in-the-middle attacks.

In such an attack someone intercepts the traffic of a client and presents their own certificate.

Because a government can create a universally accepted certificate, thise would be accepted as valid. The traffic can then be decrypted and forwarded to the real website. The attacker is now between the client and the real host (the Man in the middle) and can view the unencrypted traffic.

As a side note: you not technically need a domain or a let's encrypt certificate to enable https. As a test you can create your own certificate, and use that for https (snake-oil certificate).

This is not appropriate for longer-term usage. If you want to run websites on the Internet long-term, you should buy a domain and get a lets-encrypt certificate.