Most active commenters
  • foota(3)

←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 14 comments | 30 Nov 24 21:35 UTC | HN request time: 0.627s | source | bottom
Show context
noitpmeder ◴[01 Dec 24 01:02 UTC] No.42285295[source]
Not clear (to me) in the original post -- was this done accidentally or intentionally?
replies(4): >>42285340 #>>42285374 #>>42285593 #>>42285609 #
1. woodson ◴[01 Dec 24 02:15 UTC] No.42285609[source]
As a CA, how does one accidentally issue a certificate for google.com? I mean, is there a scenario that isn't malicious?
replies(3): >>42285625 #>>42286101 #>>42288078 #
2. tptacek ◴[01 Dec 24 02:19 UTC] No.42285625[source]
Yes, if the interception system involved was meant only for resources within Brazil’s own agency networks.
replies(2): >>42285842 #>>42286581 #
3. lxgr ◴[01 Dec 24 03:07 UTC] No.42285842[source]
But that's not allowed for publicly trusted roots under any circumstances, right? Not sure if that would qualify as an accident.
replies(1): >>42285964 #
4. foota ◴[01 Dec 24 03:33 UTC] No.42285964{3}[source]
I think the parent is saying that if they meant to use the cert only internally (e.g., to monitor employees) then that would arguably not be malicious.
replies(4): >>42285966 #>>42286063 #>>42286215 #>>42286226 #
5. lxgr ◴[01 Dec 24 03:34 UTC] No.42285966{4}[source]
Not malicious, but also not exactly purely accidental, i.e. as part of some otherwise totally legitimate activity.
replies(1): >>42289711 #
6. grayhatter ◴[01 Dec 24 03:55 UTC] No.42286063{4}[source]
> (e.g., to monitor employees) then that would arguably not be malicious.

If only there was a way to monitor company equipment without issuing a cert for a public 3rd party.

replies(1): >>42289210 #
7. Thaxll ◴[01 Dec 24 04:03 UTC] No.42286101[source]
You know testing stuff like example.com ...
8. tptacek ◴[01 Dec 24 04:33 UTC] No.42286215{4}[source]
It would not be malicious. I don't think there's a serious argument here (bearing in mind that in the airless vacuum of a message we can, of course, argue anything).

I don't know that's what happened here, though; there are malicious possible explanations!

replies(1): >>42289730 #
9. JumpCrisscross ◴[01 Dec 24 04:36 UTC] No.42286226{4}[source]
> if they meant to use the cert only internally (e.g., to monitor employees)

Or to redirect to an internal, no doubt pitched as more secure, search engine.

10. 8organicbits ◴[01 Dec 24 06:12 UTC] No.42286581[source]
Note that this scenario happened for ANSSI and MCS Holdings, so there would be precedence. I'm eager to see what Google concludes this time.

https://security.googleblog.com/2013/12/further-improving-di...

https://security.googleblog.com/2015/03/maintaining-digital-...

11. tialaramex ◴[01 Dec 24 12:26 UTC] No.42288078[source]
Most Certificate Authorities have manual issuance†, at least as an option. There's a UI where an authorized employee can issue whatever they want, the UI may be fairly crude or something quite polished used in ordinary business processes.

So an employee can type in google.com and check any boxes about did you verify this is the correct name and it's OK to issue, and then they hit issue and the certificate is minted, just like that.

Why google.com? Well, if you're testing something, say a web browser, what web site comes to mind? Maybe google.com? Doesn't work. Oh - the cable is unplugged. Doesn't work. Wait, this checkbox isn't checked, try again. Aha, now it works... Oops we issued a certificate for google.com

This is a "Never" event, there should be countless things in place to ensure it doesn't happen. In practice, just like safety guards on dangerous machinery, too many people just can't be bothered with safety, it's a cultural issue.

† Let's Encrypt famously does not. As part of the Mozilla application process they need to show their certificates expire properly, usually people either manually issue a back-dated certificate which has expired already, or they manually issue one with a deliberately short lifetime to expire. Since they can't issue manually Let's Encrypt obtained an ordinary certificate from their own service and then waited ninety days for it to expire like a fucking boss.

12. switch007 ◴[01 Dec 24 16:36 UTC] No.42289210{5}[source]
AI screen monitoring right
13. foota ◴[01 Dec 24 18:05 UTC] No.42289711{5}[source]
I think the accidental part would be in the scope. I'm not an expert on these things, but they could have intended to create a self signed cert only valid within the scope of their IT, but accidentally created one from their CA.
14. foota ◴[01 Dec 24 18:08 UTC] No.42289730{5}[source]
I largely agree, although I think there's some part of a slippery slope specifically when it comes to government, since you could argue that a government monitoring its citizens is also not malicious since (in a democratic society) the government derives its mandate from the people.

This isn't too different from the argument that (I believe reasonably) applies for how a company has the right to monitor employees, but I think many people are opposed to even democratic governments monitoring people and would consider such use malicious.

So a government monitoring its employees is one step closer even than a company, since it's the same organization in this case (though again, I think it's largely reasonable for a government to monitor their employees).