←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 7 comments | 30 Nov 24 21:35 UTC | HN request time: 0.415s | source | bottom
Show context
leonidasv ◴[01 Dec 24 01:49 UTC] No.42285504[source]
ICP-Brasil officially stopped emitting public-facing SSL/TLS certificates in October: https://www.gov.br/iti/pt-br/assuntos/noticias/indice-de-not...

This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good.

replies(2): >>42285566 #>>42293773 #
TheRealPomax[dead post] ◴[01 Dec 24 02:04 UTC] No.42285566[source]
[flagged]
1. semitones ◴[01 Dec 24 02:23 UTC] No.42285642[source]
Do you actually understand what's going here?
replies(3): >>42285674 #>>42286202 #>>42291449 #
2. raincole ◴[01 Dec 24 04:30 UTC] No.42286202[source]
As someone who doesn't understand what's actually going on: could someone ELI5?
replies(1): >>42286322 #
3. saagarjha ◴[01 Dec 24 05:04 UTC] No.42286322[source]
CAs are in the business of being a trusted third party that, among other things, verifies the identity of things. In this case someone seems to have scammed/hacked/whatever the CA into issuing a certificate for google.com, which is clearly bogus. So the result is that we should not trust this CA anymore.
replies(1): >>42286378 #
4. raincole ◴[01 Dec 24 05:17 UTC] No.42286378{3}[source]
But why would someone hacked a CA to just... issue a certificate for google.com? How does it benifit them? I'd imagine they issue a certficate for some phishing sites or something.
replies(3): >>42286420 #>>42286833 #>>42286895 #
5. cmeacham98 ◴[01 Dec 24 05:27 UTC] No.42286420{4}[source]
It's entirely possible this certificate is being used to mitm attack and phish people right now.
6. salawat ◴[01 Dec 24 07:22 UTC] No.42286833{4}[source]
So... Think of it like this. All of us have tried to shield users from having to develop or maintain their own trust networks. It's a hell of a lot of work. And it isn't sexy. These CA's are basically that implementation. They have been programmed in by default on most devices to be trusted, and changing that status after the fact is very hard.

The reason someone would want to to be able to issue one of these certs is it essentially allows them to eavesdrop on normally unreadable connection data because the device thinks the system in the middle is actually a trustworthy endpoint, and not a malicious TLS terminating proxy.

No one whose devices are by default trusting that CA now have any guarantee of confidentiality on any connection to a system presenting those issued certs.

7. tsimionescu ◴[01 Dec 24 07:41 UTC] No.42286895{4}[source]
In short, whoever has that certificate can now come between your PC and the real Google, and tell your PC "here is the real google.com" while serving you malware, in a way that Windows will trust. You typed in google.com in the address bar, your browser got the attacker's IP, and then the attacker has a certificate that says they're the real google.com, so your browser will go "all right, all good".

Basically the way certificates work is that whoever has a certificate for a domain name will be able to serve anything they want and browsers will accept this is the real domain. To turn this into an attack, they just need to trick your DNS into pointing your to their machine, or to intercept your traffic even while you're accessing the real server.

Getting a certificate for "mytotallyrealnotascamwinkwink.phishing.com" is not useful in any way for an attacker: the whole idea is to have the user think they are on a trusted site like google.com, while in reality looking at the attacker's site.