An SSL certificate can either be self-signed, or signed by a certificate authority. Modern browsers will only trust a site that provides an authority signed certificate.
A user can get an authority signed certificate for their domain if the user proves to the authority that it owns the domain name (ex: via ability to manipulate the domain’s DNS records).
This is done to establish some sort of security — they prove to the browser that the site the browser is visiting is actually controlled by the legitimate owner of the domain.
But I don’t understand how this proof of ownership actually increases security.
Isn’t it pretty much implied that a domain owner owns the underlying site it points to? And even if it doesn’t, why does that matter?
Is the idea that a hacker could breach the DNS records and point a well-known domain to their malicious server? I can see how this would protect end users. But if a hacker has that level of access, they can just generate a new SSL cert to plop onto their server anyways.
I keep reading that this helps against bad actors spoofing well-known sites with something like "go0gle.com". But if this attacker owns "go0gle.com", they can get a CA to issue them a cert for this copycat domain name and appear as "trustworthy" in the eyes of the browser.