Most active commenters
  • foota(3)

←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 11 comments | 30 Nov 24 21:35 UTC | HN request time: 1.348s | source | bottom
Show context
noitpmeder ◴[01 Dec 24 01:02 UTC] No.42285295[source]
Not clear (to me) in the original post -- was this done accidentally or intentionally?
replies(4): >>42285340 #>>42285374 #>>42285593 #>>42285609 #
woodson ◴[01 Dec 24 02:15 UTC] No.42285609[source]
As a CA, how does one accidentally issue a certificate for google.com? I mean, is there a scenario that isn't malicious?
replies(3): >>42285625 #>>42286101 #>>42288078 #
1. tptacek ◴[01 Dec 24 02:19 UTC] No.42285625[source]
Yes, if the interception system involved was meant only for resources within Brazil’s own agency networks.
replies(2): >>42285842 #>>42286581 #
2. lxgr ◴[01 Dec 24 03:07 UTC] No.42285842[source]
But that's not allowed for publicly trusted roots under any circumstances, right? Not sure if that would qualify as an accident.
replies(1): >>42285964 #
3. foota ◴[01 Dec 24 03:33 UTC] No.42285964[source]
I think the parent is saying that if they meant to use the cert only internally (e.g., to monitor employees) then that would arguably not be malicious.
replies(4): >>42285966 #>>42286063 #>>42286215 #>>42286226 #
4. lxgr ◴[01 Dec 24 03:34 UTC] No.42285966{3}[source]
Not malicious, but also not exactly purely accidental, i.e. as part of some otherwise totally legitimate activity.
replies(1): >>42289711 #
5. grayhatter ◴[01 Dec 24 03:55 UTC] No.42286063{3}[source]
> (e.g., to monitor employees) then that would arguably not be malicious.

If only there was a way to monitor company equipment without issuing a cert for a public 3rd party.

replies(1): >>42289210 #
6. tptacek ◴[01 Dec 24 04:33 UTC] No.42286215{3}[source]
It would not be malicious. I don't think there's a serious argument here (bearing in mind that in the airless vacuum of a message we can, of course, argue anything).

I don't know that's what happened here, though; there are malicious possible explanations!

replies(1): >>42289730 #
7. JumpCrisscross ◴[01 Dec 24 04:36 UTC] No.42286226{3}[source]
> if they meant to use the cert only internally (e.g., to monitor employees)

Or to redirect to an internal, no doubt pitched as more secure, search engine.

8. 8organicbits ◴[01 Dec 24 06:12 UTC] No.42286581[source]
Note that this scenario happened for ANSSI and MCS Holdings, so there would be precedence. I'm eager to see what Google concludes this time.

https://security.googleblog.com/2013/12/further-improving-di...

https://security.googleblog.com/2015/03/maintaining-digital-...

9. switch007 ◴[01 Dec 24 16:36 UTC] No.42289210{4}[source]
AI screen monitoring right
10. foota ◴[01 Dec 24 18:05 UTC] No.42289711{4}[source]
I think the accidental part would be in the scope. I'm not an expert on these things, but they could have intended to create a self signed cert only valid within the scope of their IT, but accidentally created one from their CA.
11. foota ◴[01 Dec 24 18:08 UTC] No.42289730{4}[source]
I largely agree, although I think there's some part of a slippery slope specifically when it comes to government, since you could argue that a government monitoring its citizens is also not malicious since (in a democratic society) the government derives its mandate from the people.

This isn't too different from the argument that (I believe reasonably) applies for how a company has the right to monitor employees, but I think many people are opposed to even democratic governments monitoring people and would consider such use malicious.

So a government monitoring its employees is one step closer even than a company, since it's the same organization in this case (though again, I think it's largely reasonable for a government to monitor their employees).