Most active commenters

    ←back to thread

    A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

    (follow.agwa.name)
    482 points sanqui | 18 comments | 30 Nov 24 21:35 UTC | HN request time: 1.034s | source | bottom
    1. sabbaticaldev ◴[01 Dec 24 01:37 UTC] No.42285451[source]
    Can someone explain what could be done with that and by whom?
    replies(4): >>42285493 #>>42285508 #>>42285512 #>>42286140 #
    2. tptacek ◴[01 Dec 24 01:48 UTC] No.42285493[source]
    Microsoft appears to have arranged with the government of Brazil for one of their national CAs to have the ability to mint arbitrary certificates. Only Microsoft's own WebPKI software cares; Chrome, Safari, and Firefox don't trust this CA.
    3. 77pt77 ◴[01 Dec 24 01:50 UTC] No.42285508[source]
    Whoever has the private certificate can pretend to be google.com to people using windows.

    The brower (possibly only edge) and system would show the connection as being secure.

    replies(1): >>42285709 #
    4. woofcat ◴[01 Dec 24 01:51 UTC] No.42285512[source]
    Whomever has this fake certificate can run a server and say it's google.com and windows will say "yep you are" with the little green lock.
    replies(2): >>42285605 #>>42287273 #
    5. bufferoverflow ◴[01 Dec 24 02:13 UTC] No.42285605[source]
    The certificate is for a specific IP address, no?

    And without DNS pointing google.com to that IP address, it's pretty useless.

    replies(3): >>42285639 #>>42286509 #>>42287444 #
    6. zer0x4d ◴[01 Dec 24 02:23 UTC] No.42285639{3}[source]
    Nope, certificates are issued for CNs(Common Name), also known as FQDNs (Fully qualified domain names). Something such as *.google.com, not IP addresses.

    If they were issued for IP addresses they would have to reissue the certificate every time they spun up a new server. Also it's why if you spin up another server and make DNS point google.com to that server, it would not pass verification since the certificate you will be using on that server is not issued to *.google.com, but rather some other domain you own. The IP address plays no role in certificates.

    replies(2): >>42285695 #>>42285748 #
    7. buzer ◴[01 Dec 24 02:36 UTC] No.42285695{4}[source]
    Certificates can be issued to IP addresses (at least on SAN level, not sure if they are allowed in CN in CA/B baseline requirements), like https://crt.sh/?id=15492507462
    replies(1): >>42286041 #
    8. ◴[01 Dec 24 02:38 UTC] No.42285709[source]
    9. colanderman ◴[01 Dec 24 02:47 UTC] No.42285748{4}[source]
    Nit: a CN (stored in the Subject field of a cert) is not an FQDN, though historically web browsers treated them as such. This practice is now deprecated. Modern practice is for the domain name(s) to be placed in the Subject Alternative Name (SAN) field.

    The Subject field is not consulted so long as the SAN field is present, and can in theory be any X.500 Distinguished Name, of which Common Name is one possible attribute, which may be any freeform string of a limited length (though it is typically set to the primary domain the cert is issued for, for easy identification).

    10. Arrowmaster ◴[01 Dec 24 03:50 UTC] No.42286041{5}[source]
    That is different in context to what was being asked though.
    11. brianpan ◴[01 Dec 24 04:14 UTC] No.42286140[source]
    It's not entirely about this particular certificate (although this is bad, too). This is about a certificate authority giving someone who is NOT Google, a certificate that can be used to "prove" a server is Google. Accidental or not, this should not happen.

    The "blast radius" is limited to Microsoft since they are the only ones that trust this particular certificate authority. Your non-Microsoft browser won't trust these certs. Your non-Microsoft OS, Java program, etc. etc. won't trust these certs.

    replies(1): >>42286704 #
    12. ◴[01 Dec 24 05:54 UTC] No.42286509{3}[source]
    13. xcrunner529 ◴[01 Dec 24 06:42 UTC] No.42286704[source]
    Chrome uses the Windows trust store on Windows, IIRC.
    replies(1): >>42291925 #
    14. baobabKoodaa ◴[01 Dec 24 09:20 UTC] No.42287273[source]
    Where? In Edge you mean?
    replies(1): >>42287433 #
    15. echoangle ◴[01 Dec 24 09:58 UTC] No.42287433{3}[source]
    And everything that uses the OS trust store, when run on Windows, I assume.
    16. echoangle ◴[01 Dec 24 10:01 UTC] No.42287444{3}[source]
    > And without DNS pointing google.com to that IP address, it's pretty useless.

    On the internet itself maybe, but you can still MITM people on some network, right?

    17. brianpan ◴[02 Dec 24 00:34 UTC] No.42291925{3}[source]
    I dug a little and apparently Chrome previously used the trust store of the platform but has now transitioned away from that to use their own. https://blog.chromium.org/2022/09/announcing-launch-of-chrom...

    But even before they switched to this "Chrome Root Program", they have distrusted specific CAs, for example Symantec in 2017. https://security.googleblog.com/2017/09/chromes-plan-to-dist...

    replies(1): >>42292781 #
    18. xcrunner529 ◴[02 Dec 24 03:19 UTC] No.42292781{4}[source]
    Thanks for the info! Didn’t know they moved on.