Most active commenters

    ←back to thread

    A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

    (follow.agwa.name)
    482 points sanqui | 11 comments | 30 Nov 24 21:35 UTC | HN request time: 0.754s | source | bottom
    1. cjalmeida ◴[01 Dec 24 01:32 UTC] No.42285429[source]
    It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…
    replies(2): >>42285683 #>>42286883 #
    2. layer8 ◴[01 Dec 24 02:33 UTC] No.42285683[source]
    Unlike web browsers, digital signature use cases should perform revocation checks, so revoking the google.com certificate should solve that.
    replies(3): >>42285783 #>>42285825 #>>42292286 #
    3. perching_aix ◴[01 Dec 24 02:53 UTC] No.42285783[source]
    I think the current "meta" is CAA records? https://blog.cloudflare.com/why-certificate-pinning-is-outda...
    replies(2): >>42285927 #>>42292557 #
    4. lxgr ◴[01 Dec 24 03:04 UTC] No.42285825[source]
    The problem here isn't really that one mis-issued certificate, but rather the general problematic behavior of that CA reported in TFA.

    If a CA can be convinced to issue a server certificate for google.com, would you feel very comfortable trusting their contract/deed/... signing certificates?

    replies(1): >>42287529 #
    5. 8organicbits ◴[01 Dec 24 03:25 UTC] No.42285927{3}[source]
    Correct, which Google is using:

    https://www.nslookup.io/domains/google.com/dns-records/caa/

    6. justinclift ◴[01 Dec 24 07:38 UTC] No.42286883[source]
    So you're saying it's only a matter of time until they issue a cert for x.com as well? :)
    7. Muromec ◴[01 Dec 24 10:21 UTC] No.42287529{3}[source]
    If the government says you need to use their CA, you may feel the feelings, but you will still use them
    replies(1): >>42298170 #
    8. bawolff ◴[02 Dec 24 01:38 UTC] No.42292286[source]
    Just need to DoS the revocation server right before your digital signature is checked.
    9. syncsynchalt ◴[02 Dec 24 02:31 UTC] No.42292557{3}[source]
    CAA records rely on the CAs to respect them, and this is an article about how a CA has issued a cert in violation of a CAA record.
    replies(1): >>42292602 #
    10. perching_aix ◴[02 Dec 24 02:41 UTC] No.42292602{4}[source]
    Oh right, for some reason I was under the impression that browsers utilize the record too.
    11. KetoManx64 ◴[02 Dec 24 17:14 UTC] No.42298170{4}[source]
    What would stop me from purging all this CA's certificates from my computet?