I am new to the course, and a complete novice to cyber security and IT for that matter, and so far enjoying it. However, I thought I should start getting involved in the forum as I keep running into questions. Who certifies that the certificate authority is legitimate? Is there anyone double checking that they are following certain standards at all, or even that they are not purposefully creating fake certificates for malicious purpose? It seems to me that so far, this is one of the biggest threats I have learned about in this course (I am only in section 4 of volume 1). The fact that HTTPS encryption relies on these digital certificates and that digital certificates come from so many different sources seems alarming.
Companies like Google, Microsoft and others have list of verified and trusted certificates that anyone can check. Just google that, and you will get it. There are few orgs that create these certs like Symantec, DigiCert, etc. You will find many trusted root certificate lists out there. An example is - https://www.checktls.com/showcas.html. These big companies do verify these root certificates from time to time.
Have a read on how few years ago symantec malicious certs were identified by Google and then they were penalized. Just google and you should get this news.