Most active commenters
  • alganet(8)
  • tsimionescu(8)
  • tptacek(3)
  • amluto(3)
  • JumpCrisscross(3)
  • echoangle(3)
  • Muromec(3)

←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 85 comments | 30 Nov 24 21:35 UTC | HN request time: 3.829s | source | bottom
1. danpalmer ◴[01 Dec 24 00:47 UTC] No.42285229[source]
This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
replies(8): >>42285389 #>>42285408 #>>42285431 #>>42285622 #>>42286061 #>>42286142 #>>42286897 #>>42287654 #
2. jsheard ◴[01 Dec 24 01:23 UTC] No.42285389[source]
What is even the point of a web CA that isn't trusted by all of the major players? Is there one?
replies(3): >>42285424 #>>42285444 #>>42285550 #
3. beeflet ◴[01 Dec 24 01:27 UTC] No.42285408[source]
It's not just a bad look, it's bad period.
4. beeflet ◴[01 Dec 24 01:30 UTC] No.42285424[source]
I suppose it allows you to enable third party control and censorship. If you look at microsoft's censorship of bing in china for example, they are more than willing to bend the knee if it means they can get ahead.
replies(1): >>42285660 #
5. move-on-by ◴[01 Dec 24 01:32 UTC] No.42285431[source]
Also being issued on a major US holiday- when many are on PTO- does not help with the look.
replies(1): >>42285701 #
6. tialaramex ◴[01 Dec 24 01:36 UTC] No.42285444[source]
These are generally government CAs, so, typically the situation is Microsoft sold the government Windows, and as part of that deal (at least tacitly) agreed to the CA being trusted, and so every system that's trusting these certificates is a Windows PC anyway, running Edge because the whole point was the government will only use Windows and pays Microsoft $$$.

Why bake it into everybody else's Windows? If you make say a Brazil Government-only Windows which trusts this CA instead, I guarantee somebody crucial in Brazil will buy a 3rd party Windows laptop independently and it doesn't work with this CA's certificates and that ends up as Microsoft's problem to fix, so, easier to just have every Windows device trust the CA.

They'll have an assurance from the CA that it won't do this sort of crap, and that's enough, plausible deniability. Microsoft will say they take this "very seriously" and do nothing and it'll blow over. After all this stuff happened before and it'll happen again, and Windows will remain very popular.

replies(4): >>42285464 #>>42285561 #>>42285818 #>>42285942 #
7. sneak ◴[01 Dec 24 01:41 UTC] No.42285464{3}[source]
Windows is less popular every year.
replies(3): >>42285533 #>>42285732 #>>42285907 #
8. notimetorelax ◴[01 Dec 24 01:56 UTC] No.42285533{4}[source]
I looked at the graphs at Statista. I don’t think it’s so clear cut. Mobile OSs have pushed it down, but it seem to dominate PC market. Do you have a graph that shows its decline on computers, not mobile phones? Or in absolute unit counts?
replies(2): >>42287363 #>>42287388 #
9. ◴[01 Dec 24 02:01 UTC] No.42285550[source]
10. awinter-py ◴[01 Dec 24 02:03 UTC] No.42285561{3}[source]
what's the state's interest in having their CA built into windows?
replies(7): >>42285580 #>>42285679 #>>42285705 #>>42285808 #>>42285814 #>>42285837 #>>42286935 #
11. tptacek ◴[01 Dec 24 02:08 UTC] No.42285580{4}[source]
States are themselves extraordinarily large IT enterprises, they generally want control of traffic and its transparency or protection, and they are large enough to get arrangements for that, though usually not this particular arrangement.

Large enterprises in the US generally have the same capability, but not loaded into operating systems by default (that is: Walmart's ability to do this on its own network in no way impacts you, who have never worked on that network).

replies(1): >>42285936 #
12. alganet ◴[01 Dec 24 02:28 UTC] No.42285660{3}[source]
As a brazillian, I find this very unlikely.

In 2013, when the same party was in power, SERPRO was tasked with replacing Microsoft in key aspects, such as government email (which was handled by Outlook Server at that time) and operating systems.

The main reason was fear of espionage. So, in reality, we are more afraid of the US spying on us than random internet dissidents.

replies(1): >>42286217 #
13. lazide ◴[01 Dec 24 02:32 UTC] No.42285679{4}[source]
Legitimate, or illegitimate?
14. alganet ◴[01 Dec 24 02:37 UTC] No.42285701[source]
During carnival we brazillians often take 3 or 4 days leave.

Would it be fair during that time if I asked you to hold your PRs, bug tickets and work in general because we're on paid leave?

On-call rotation exists for those reasons. Otherwise, all countries would need to respect all other countries holidays.

In fact, we're not even aware of most US holidays. It is likely to be a coincidence.

replies(6): >>42286029 #>>42286059 #>>42286108 #>>42286214 #>>42286300 #>>42286357 #
15. mnau ◴[01 Dec 24 02:38 UTC] No.42285705{4}[source]
E.g. identity verification. My state has a "qualified" certificate that can be used to sign contracts and basically everything else you can do in-person. When you can transfer you home with that, there are higher requirements on checking the identity of a person who gets the certificate.

That CA is not used for much else and is basically confined to our state. But it has to be in Windows, otherwise no other software could verify the signatures.

See eIDAS and other similar schemes.

replies(3): >>42286944 #>>42288746 #>>42292455 #
16. saghm ◴[01 Dec 24 02:44 UTC] No.42285732{4}[source]
I feel confident in guessing that any net changes in Windows popularity have close to no relation to Microsoft's policies around trusted CA. The number of users who are worried about sketchy certificates being trusted by default are dwarfed by the number of users who don't have any idea what a "trusted CA" is but care about more "visible" things like UI changes, performance, and how hard Windows is pushing Edge and other things they don't want.
replies(1): >>42286103 #
17. Onavo ◴[01 Dec 24 03:00 UTC] No.42285808{4}[source]
So they can mitm their own employees without annoying TLS warnings.
replies(2): >>42286301 #>>42286950 #
18. csomar ◴[01 Dec 24 03:01 UTC] No.42285814{4}[source]
So when they issue their certificates, you don't get that huge red banner? I belong to a small developing country and even with its tech illiteracy it has a CA. Now, of course, because that CA is not trusted by anyone, all government websites are red.
19. efitz ◴[01 Dec 24 03:02 UTC] No.42285818{3}[source]
Windows CA program is governed by requirements like any other CA. Microsoft has ways to provision machines with enterprise CA roots so there is no advantage, and highly visible disadvantage, to adding a noncompliant CA to your trust store. I think that the theory that Microsoft will included it to sweeten a sale has no merit, unless you have evidence.

Most certificate trust stores have some certs in them that are sketchy, eg a bunch of university certs from all over Europe. These are slowly dropping off, presumably because it costs quite a bit to operate a CA in a compliant fashion and get it professionally audited.

Issuing a fake cert is grounds for removal from every certificate trust program I’m aware of, if it can’t be demonstrated that they found what went wrong and have fixed it so it can never happen again.

replies(1): >>42286068 #
20. efitz ◴[01 Dec 24 03:06 UTC] No.42285837{4}[source]
Getting your CA into a trust store means that every machine using that trust store will accept your certs. It’s not really necessary for a government or corporation to have a public CA in anyone’s trust store unless they want to issue certificates that everyone trusts. If they just need their own machines to trust their certificates, they can use the management utilities that come with Windows and with AD to distribute an “enterprise root”, which only their machines will trust. This is how most large companies and governments do it.
21. n144q ◴[01 Dec 24 03:21 UTC] No.42285907{4}[source]
You need to show statistics to prove that, not just throw the statement out there, possibly only based on the vibes on HN.
22. adra ◴[01 Dec 24 03:26 UTC] No.42285936{5}[source]
If you're a large enterprise, then it's trivial to add yourself your own custom CA and save the cost/hassle of needing to deal with outside companies. The tradeoff being you need to manage it yourself vs basically paying this third party company to survive?
replies(2): >>42286218 #>>42287574 #
23. amluto ◴[01 Dec 24 03:28 UTC] No.42285942{3}[source]
The solution seems straightforward: limit the trust in the CA to .BR domains.

[domain name typo fixed]

replies(2): >>42285957 #>>42286002 #
24. bitwize ◴[01 Dec 24 03:31 UTC] No.42285957{4}[source]
.bz is the TLD for Belize. Brazil is .br.
25. kelnos ◴[01 Dec 24 03:41 UTC] No.42286002{4}[source]
IIRC name constraints is very poorly supported by client software, so there are likely lots of clients out there that wouldn't even parse that restriction out of the cert, and happy accept anything singed by the CA.
replies(3): >>42286042 #>>42286555 #>>42290933 #
26. lmm ◴[01 Dec 24 03:48 UTC] No.42286029{3}[source]
> Would it be fair during that time if I asked you to hold your PRs, bug tickets and work in general because we're on paid leave?

Yes. That's completely normal for companies that do business with Brazil.

replies(1): >>42286187 #
27. amluto ◴[01 Dec 24 03:51 UTC] No.42286042{5}[source]
I’m not talking about a name constraint — that would need to be part of the root certificate. I’m suggesting that MS add a feature to its root store to constrain the usage of the certificates in the store. IIRC Google’s root store has features like this.
replies(1): >>42286979 #
28. bogota ◴[01 Dec 24 03:55 UTC] No.42286059{3}[source]
Have you never worked at a multinational company?
replies(1): >>42286152 #
29. lokar ◴[01 Dec 24 03:55 UTC] No.42286061[source]
Microsoft is all about bad looks
30. lokar ◴[01 Dec 24 03:57 UTC] No.42286068{4}[source]
IMO, issuing a fake CA for one of the top (and highest risk) domains even once should be the end of that CA (and any other CAs managed by that org)
31. l33t7332273 ◴[01 Dec 24 04:04 UTC] No.42286103{5}[source]
It’s not becoming the users that are the decision makers. A few CTOs could make decisions based on this
replies(1): >>42286249 #
32. noirbot ◴[01 Dec 24 04:06 UTC] No.42286108{3}[source]
For as big a country as Brazil? Totally. I've worked at companies that had minor code freezes for all sorts of holidays in countries we had a big client presence in, specifically to avoid releasing changes to client that wouldn't have engineers in-office to adapt to them.
33. raincole ◴[01 Dec 24 04:14 UTC] No.42286142[source]
How bad is it? (Genuine question from me who lacks cybersecurity knowledge)
replies(2): >>42286694 #>>42292324 #
34. alganet ◴[01 Dec 24 04:16 UTC] No.42286152{4}[source]
I did, multiple times with multiple countries. All of them had some sort of call rotation. Someone was always at the helm, _specially_ in infrastructure and security.

There are whole startups designed to solve this, like PagerDuty.

I am now very curious to understand where your question comes from. There must be some misunderstanding here. You never went on-call or seen a friend do it?

replies(1): >>42286186 #
35. JumpCrisscross ◴[01 Dec 24 04:26 UTC] No.42286186{5}[source]
> You never went on-call or seen a friend do it?

Red herring [1].

OP said it’s malicious or incompetent to release this on a U.S. holiday weekend. You asked if similar consideration would be given to Brazil. Multiple people chimed in that it would. You’re now pivoting to on-call capacity.

Any amount of on-call capacity can be saturated. That’s why competent multinationals avoid releasing while markets they’re likely to impact are sleeping or drunk. This is a high-level scheduling operation, however, so it’s reasonable for those lower in the organisation to be unaware why an update is being pushed next Tuesday instead of this.

[1] https://en.m.wikipedia.org/wiki/Red_herring

replies(1): >>42286191 #
36. alganet ◴[01 Dec 24 04:26 UTC] No.42286187{4}[source]
Sorry, my example was bad.

In fact, your example is perfect. We're not talking about business. CAs are different.

In security and infrastructure, there's always someone working on holidays. The larger the organization, higher are the chances that some kind of rotation exists.

37. alganet ◴[01 Dec 24 04:28 UTC] No.42286191{6}[source]
You can totally ignore the red herring and focus on the first part. In the end I was just paraphrasing the comment I replied to.

Rotations exist, specially in large organizations, or when there's shared responsibility.

Now we're talking nonsense about "you said, he said", this conversation makes no sense. I am much less invested in this than you think.

replies(1): >>42286205 #
38. JumpCrisscross ◴[01 Dec 24 04:30 UTC] No.42286205{7}[source]
> Rotations exist

Straw man [1]. Nobody claimed otherwise.

Rotation or always-on isn’t a substitute for being aware of your customers. Good culture permeate this throughout the organisation. Competent ones have someone at the top ensuring controls are followed.

[1] https://en.m.wikipedia.org/wiki/Straw_man

replies(1): >>42286268 #
39. JumpCrisscross ◴[01 Dec 24 04:33 UTC] No.42286214{3}[source]
> we're not even aware of most US holidays

You’re not. Someone above you should be. Otherwise that’s incompetence.

40. serial_dev ◴[01 Dec 24 04:34 UTC] No.42286217{4}[source]
As a non Brazilian, sometimes when a government says a company is spying on its citizens, they mean that they want access, too, to the spying and censoring apparatus.
replies(1): >>42286312 #
41. tptacek ◴[01 Dec 24 04:35 UTC] No.42286218{6}[source]
That's true, but in the bad-old-days of the antidiluvian WebPKI it was somewhat routine to sell big companies CA=YES certs simply to allow them to do this universally without pushing out updates to all their endpoints. It was a terrible, bad practice, and so far as I know it's completely dead now --- except for Microsoft, I guess.
42. saghm ◴[01 Dec 24 04:42 UTC] No.42286249{6}[source]
If the rationale in the parent comment for this behavior is correct, it sounds like a lot of people making the decision to use Windows are doing it _because_ of behavior like this, not in spite of it.
43. alganet ◴[01 Dec 24 04:47 UTC] No.42286268{8}[source]
Sorry, I lost the track.

Can you explain the point you made precisely, in the context of the original subject?

44. move-on-by ◴[01 Dec 24 04:58 UTC] No.42286300{3}[source]
My comment is not about how all work should stop during US holidays.

What I’m attempting to refer to, is that _if_ this was done with malicious intent, then maybe the hope was that doing it during a holiday would reduce response time or allow it to fly under the radar. Of course, as you say, just because it was a holiday does not inherently mean it’s malicious, it has plausible deniability.

replies(1): >>42286376 #
45. throwaway2037 ◴[01 Dec 24 04:59 UTC] No.42286301{5}[source]
To be clear, this is bog standard in all mega-corps now. They have a vendor product that provides HTTP Internet proxy, then they perform MitM to decrypt HTTPS traffic and re-sign/encrypt with in-house issued cert. Then, this cert is auto-trusted as part of all base OS installations. To be honest, how else can mega-corps spy on HTTPS traffic without this MitM tactic? I don't know any other way.
replies(1): >>42287372 #
46. alganet ◴[01 Dec 24 05:02 UTC] No.42286312{5}[source]
I see your point.

Maybe if I was in government I would think the same. Catch criminals before they act, stuff like that (I'm just being the devil's advocate here).

This is a dillema, and the worst kind. The kind citizens know nothing about, so the only possible way to talk about it is to speculate. I am, however, too old to speculate about these things anymore.

47. ◴[01 Dec 24 05:12 UTC] No.42286357{3}[source]
48. alganet ◴[01 Dec 24 05:17 UTC] No.42286376{4}[source]
What I actually said is that I believe that the notion of a holiday "hiding" these activities is naive. I don't think it makes any difference.

I don't know if there's a rotation or another system. I think there are probably multiple across different parties responsible for maintaining CA trust.

49. 8organicbits ◴[01 Dec 24 06:05 UTC] No.42286555{5}[source]
I think support for name constraints is much better now, but I think someone needs to correctly audit it. We need near universal adoption for it to be considered a usable tool.

I researched the issue a little here: https://alexsci.com/blog/name-non-constraint/

50. retrodaredevil ◴[01 Dec 24 06:39 UTC] No.42286694[source]
Let's assume that some malicious third party has control of the certificate that was created by this fishy CA. The main attack that they could carry out is a man in the middle (MitM) attack. This attack requires this malicious third party to be able to intercept and change the contents of requests being sent to google.com and someone's web browser.

A MitM attack can be easily carried out by someone in control of an ISP, or someone in control of a WiFi network. So, if you trust your ISP and your WiFi network, realistically you have nothing to worry about.

The reason that this issued certificate could allow an attack like this to happen is because all websites nowadays use HTTPS connections, and certificate authorities are the entities that tell your web browser that certain certificates are legit. They confirm that a website is actually that website.

If you visit some website and someone tries to do a MitM attack between your web browser and that website, the web page should fail to load because if they try to change the certificate, your web browser should reject it because it is invalid.

51. justinclift ◴[01 Dec 24 07:41 UTC] No.42286897[source]
> an even worse look for Microsoft.

Microsoft have a terrible reputation for security, which they've earned through doing stuff like this.

It's not likely to get any better any time soon either, as their trajectory is still pointed downwards.

replies(2): >>42287058 #>>42291038 #
52. tsimionescu ◴[01 Dec 24 07:48 UTC] No.42286935{4}[source]
So that they don't depend on anyone else to have proper TLS for their state sites and for companies operating in their state.

Imagine if you don't have a state CA, and your relationship with the USA goes sour, and the USA prohibits all of their major CAs from doing business with your country, including Let's Encrypt. People in your country still use the internet and you still want to protect them from scammers pretending to be local businesses online. So it's important that you as the state can provide CA services and sign those certificates yourself.

Of course, in this scenario you wouldn't want to be relying on Microsoft to help. But the general principle is that any state who can afford it has a strategic interest in having fully self-sufficient Internet infrastructure, including DNS, CAs, IP allocation etc.

replies(1): >>42287706 #
53. tsimionescu ◴[01 Dec 24 07:51 UTC] No.42286944{5}[source]
Why would you want to mix identity verification with the WebPKI? This makes no sense at all. Just because a CA is trusted for web verification doesn't mean it's trusted for identity verification, machine enrollment, or any other purpose. And vice-versa: a CA for identity verification is not in any way trusted for web verification.
replies(1): >>42288754 #
54. tsimionescu ◴[01 Dec 24 07:52 UTC] No.42286950{5}[source]
You don't need a publicly trusted CA for that. You just run an internal CA and install its root certificate on your employees' machines, just like you install VPN software or whatever else.
55. tsimionescu ◴[01 Dec 24 08:01 UTC] No.42286979{6}[source]
The Windows trust store doesn't offer a verification API, I believe it simply lists the trusted certificates so that they can be looked up by verification software. That is, OpenSSL doesn't ask windows "hey, is this certificate with this chain trusted for google.com?" it asks Windows "hey, do you have a cert in the trusted root CAs with this ID? If so give it to me", and then OpenSSL will use that root cert to check if this is the real google.com.

Chrome, which is both the cert store and the client on certain OSs, might implement this limited trust. But Windows can't, except maybe for its own internal services.

Either way, this makes little sense overall. If a CA is trustable, it can be trusted to sign a certificate for any domain. And if it's not trustable, then you can't trust it for any domain. Brazilian companies wishing to use a local CA can own .com domain names, so you'd be preventing a completely legitimate use case. Google almost certainly has a google.br domain, so if the Brazil CA is untrustworthy, they can still be used to attack Google even if you only trust them for .br domain.

replies(1): >>42288755 #
56. danpalmer ◴[01 Dec 24 08:20 UTC] No.42287058[source]
I don’t know enough to comment on that reputation, but this surprises me. They’re known for being great at serving and selling to the enterprise, frequently at the expense of end users, and big enterprises/govts care a lot about security usually. Even if much of that caring is box ticking rather than actually looking into the security (hello ISO27001), you’d expect it to result in generally a security conscious culture.
replies(5): >>42287133 #>>42287137 #>>42287457 #>>42287540 #>>42287558 #
57. outworlder ◴[01 Dec 24 08:39 UTC] No.42287133{3}[source]
It's hit and miss.

They have one of the largest cyber security operations worldwide and regularly track and dismantle criminal operations. There's some great people working there.

Then there's Azure. Which is used by large organizations and you would expect it to have the utmost care when it comes to security. But it often does badly, in several instances it allowed different tenants to access information from one another, something unheard of on AWS. For example: https://www.securityweek.com/microsoft-patches-azure-cross-t... or https://www.theregister.com/2024/06/05/tenable_azure_flaw/ or https://borncity.com/win/2023/08/03/microsoft-as-a-security-...

There are so many cross tenant vulnerabilities that there could be some overlap in those URLs, and it's a bit late at night for me to read those carefully, but you get the idea.

They do get the most flak about Windows, which used to be a non networked, single user OS.

58. cassianoleal ◴[01 Dec 24 08:41 UTC] No.42287137{3}[source]
> Even if much of that caring is box ticking rather than actually looking into the security (hello ISO27001), you’d expect it to result in generally a security conscious culture.

If the whole value is in ticking the box, why would that develop a culture that values anything more than the tick?

replies(1): >>42287324 #
59. antonvs ◴[01 Dec 24 09:34 UTC] No.42287324{4}[source]
The cycle usually goes something like box ticking, complacency, security scare, remediation, rinse and repeat.
60. flir ◴[01 Dec 24 09:43 UTC] No.42287363{5}[source]
I think that might be a bit of an unfair caveat. People do real work on mobile OSes. They shop and communicate on mobile OSes, and occasionally organise revolutions.

(Although I'm not sure why "Netraft confirms, Windows is dying" is a useful comment here anyway. Windows is a behemoth.)

61. echoangle ◴[01 Dec 24 09:44 UTC] No.42287372{6}[source]
Yes, but normally this is done by making your own CA and installing it into your client devices, not by getting it into every device globally by working with Microsoft.
replies(1): >>42287586 #
62. lysace ◴[01 Dec 24 09:48 UTC] No.42287388{5}[source]
https://gs.statcounter.com/os-market-share/desktop/worldwide...

There's a clear but slow trend on desktop.

Jan 2009: 95.4% Windows

Jan 2016: 85.2% Windows

Jan 2024: 73.0% Windows

In e.g. US it's going down faster, desktop market share now at 62%:

https://gs.statcounter.com/os-market-share/desktop/united-st...

63. justinclift ◴[01 Dec 24 10:05 UTC] No.42287457{3}[source]
> but this surprises me

Unfortunately, it's true. People used to relying on Microsoft understandably don't want it to be so, so they're in for a rough time trying to figure out actually workable alternatives. :(

This has been an ongoing problem for years, and every time some new problem is found Microsoft just trots out the PR promises that they'll do better. Without then doing any better.

https://arstechnica.com/information-technology/2022/10/how-a... (2022)

https://arstechnica.com/security/2023/08/microsoft-cloud-sec... (2023)

https://arstechnica.com/information-technology/2024/04/micro... (2024)

For the US government's official perspective on Microsoft's security competence, there's the federal Cyber Safety Review Board report released in April this year:

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review... (2024)

  "Throughout this review, the board identified a series of
  Microsoft operational and strategic decisions that collectively
  points to a corporate culture that deprioritized both enterprise
  security investments and rigorous risk management," the report
  reads.
And so on.

Note that the problems didn't start in 2022, that's just the earliest I could be bothered looking with minimal effort. ;)

64. Muromec ◴[01 Dec 24 10:24 UTC] No.42287540{3}[source]
That's the problem, the only security culture it produces is thinking of security as annoying box ticking.
65. jajko ◴[01 Dec 24 10:29 UTC] No.42287558{3}[source]
Company pushing constant snooping of all activity of users even on professional/enterprise variants of their OS can't be taken seriously re security, so absolutely no idea where this rumor 'They’re known for being great at serving and selling to the enterprise' comes from.

They may be good when luring in customers, but once thats done, they don't give a fuck about anything but their current cash flow. And the fact that ultra-big players can ask them for customized OS distribution that has this turned off (just like my own mega corporation) doesn't change anything on statements above.

66. hulitu ◴[01 Dec 24 10:34 UTC] No.42287574{6}[source]
> If you're a large enterprise, then it's trivial to add yourself your own custom CA

The big CA have their own "Boy club". See Ahmed used cars and certificates.

67. hulitu ◴[01 Dec 24 10:36 UTC] No.42287586{7}[source]
> Yes, but normally this is done by making your own CA and installing it into your client devices, not by getting it into every device globally by working with Microsoft.

Google, Facebook, Microsoft, Apple, Cloudfare, Godaddy, Lets encrypt. They all "work with Microsoft".

replies(1): >>42287643 #
68. echoangle ◴[01 Dec 24 10:48 UTC] No.42287643{8}[source]
Does any employer get a certificate from any of the CAs you listed to MITM their internal networks?
replies(1): >>42288144 #
69. jowea ◴[01 Dec 24 10:50 UTC] No.42287654[source]
Funny thing is this is just the latest issue around this CA. For a long time you had to manually add it to certificate store because it was not trusted by default but the Brazilian government insisted in using it on official websites.
70. withinboredom ◴[01 Dec 24 11:02 UTC] No.42287706{5}[source]
This seems like a matter of signing a certificate signed by an actual CA with your own CA as well. If the relationship sours, you still have your own CA to vouch for it.
replies(1): >>42294433 #
71. 3np ◴[01 Dec 24 12:38 UTC] No.42288144{9}[source]
The listed companies are employers. I think they all have self-managed CAs.
replies(1): >>42288757 #
72. Muromec ◴[01 Dec 24 14:59 UTC] No.42288746{5}[source]
You don't really need your CA doing eIDAS in the system root. This scheme works as a closed system where you need eIDAS app to produce the artifact and another eIDAS app to verify it, when both have their own non-system root.

Ukraine for example successfully operates their own eIDAS-like scheme where everything is based on DSTU+GOST algos not supported by any operating systems a major libraries, the certs are signed by the government root and it doesn't leak into web pki.

73. Muromec ◴[01 Dec 24 15:00 UTC] No.42288754{6}[source]
I think the idea was to use client certs for strong authentication on the government web services, which didn't rally took off, except maybe in Estonia.
74. nordsieck ◴[01 Dec 24 15:00 UTC] No.42288755{7}[source]
> Either way, this makes little sense overall. If a CA is trustable, it can be trusted to sign a certificate for any domain. And if it's not trustable, then you can't trust it for any domain.

That's a silly position to take.

When I lived with roommates, I trusted them. But I also locked my bedroom when I went out. Because there's no good reason to rely on trust when you don't have to.

replies(1): >>42288962 #
75. echoangle ◴[01 Dec 24 15:00 UTC] No.42288757{10}[source]
Yes, but surely the listed companies don't use their public and globally trusted CAs to MITM their internal networks. I hope they have another internal CA to allow them to MITM their internal Network.
76. tsimionescu ◴[01 Dec 24 15:44 UTC] No.42288962{8}[source]
It is given the design of the PKI and DNS. There's no relation between CA and the TLDs on the certificate being signed.
replies(1): >>42290581 #
77. amluto ◴[01 Dec 24 20:39 UTC] No.42290581{9}[source]
This is true, but it’s an old design that has been (in my opinion at least) obviously wrong since the very beginning of HTTPS. Microsoft could easily fix it, at least for clients that can manage to use an updated API.
replies(1): >>42293809 #
78. cvalka ◴[01 Dec 24 21:42 UTC] No.42290933{5}[source]
As of 2024, they are well supported.
79. tptacek ◴[01 Dec 24 21:59 UTC] No.42291038[source]
This is something people on message boards believe that practitioners roll their eyes about.
80. bawolff ◴[02 Dec 24 01:47 UTC] No.42292324[source]
Well now that everyone knows about it, its a whole lot less bad.

The bad certificate was caught, and caught quickly. The system works.

It is a bit like if airport security catches someone who wanted to bomb a plane. Yes the immediate gut reaction is that is terrible, but if you think about it for a bit its actually reassuring, since its proof the safe guards worked.

81. estebarb ◴[02 Dec 24 02:12 UTC] No.42292455{5}[source]
It doesn't have to be. In Costa Rica the Central Bank has their own CA for the same purpose. We need to download the certificates ourselves. It is inconvenient, but an error by that CA won't propagate to the rest of the world.
82. tsimionescu ◴[02 Dec 24 07:03 UTC] No.42293809{10}[source]
Microsoft has nowhere near the power to change the PKI and/or DNS. And it's not an API problem, it's a problem of where companies go to get their legitimate certs. If there are a lot of companies getting their certs for international TLDs from country CAs, or country TLDs from international CAs, then you have to wait for huge systemic changes before enforcing any kind of TLD-CA relationship.
replies(1): >>42297769 #
83. tsimionescu ◴[02 Dec 24 09:04 UTC] No.42294433{6}[source]
That doesn't achieve anything at a country level if trust stores don't include your CA directly. A country can't just push an update to all its citizens' computers to switch CA, it has to plan ahead for such eventualitites.
84. account42 ◴[02 Dec 24 16:33 UTC] No.42297769{11}[source]
Microsoft has absolute power about the restrictions they support in their root store.
replies(1): >>42300019 #
85. tsimionescu ◴[02 Dec 24 20:21 UTC] No.42300019{12}[source]
That's irrelevant. My whole point is that such restrictions go against the whole design of the PKI, at a systemic level. It's actively harmful to try to restrict trust in a CA to certificates for a certain TLD, because the two don't have any relationship whatsoever, by design.

It would be like restricting trust in a CA to certificates for sites whose name starts with a certain letter. It's exactly as meaningful from a Web PKI perspective.

Could Microsoft make it so that Windows only trusts this CA for certificates on domains whose name starts with a "b"? Sure. Would it help with anything? No. Would it be actively harmful to companies whose name starts with A that are using this CA? Yes. The same thing is true for domains whose name ends in .br.