←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 9 comments | 30 Nov 24 21:35 UTC | HN request time: 0.712s | source | bottom
Show context
cjalmeida ◴[01 Dec 24 01:32 UTC] No.42285429[source]
It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…
replies(2): >>42285683 #>>42286883 #
1. layer8 ◴[01 Dec 24 02:33 UTC] No.42285683[source]
Unlike web browsers, digital signature use cases should perform revocation checks, so revoking the google.com certificate should solve that.
replies(3): >>42285783 #>>42285825 #>>42292286 #
2. perching_aix ◴[01 Dec 24 02:53 UTC] No.42285783[source]
I think the current "meta" is CAA records? https://blog.cloudflare.com/why-certificate-pinning-is-outda...
replies(2): >>42285927 #>>42292557 #
3. lxgr ◴[01 Dec 24 03:04 UTC] No.42285825[source]
The problem here isn't really that one mis-issued certificate, but rather the general problematic behavior of that CA reported in TFA.

If a CA can be convinced to issue a server certificate for google.com, would you feel very comfortable trusting their contract/deed/... signing certificates?

replies(1): >>42287529 #
4. 8organicbits ◴[01 Dec 24 03:25 UTC] No.42285927[source]
Correct, which Google is using:

https://www.nslookup.io/domains/google.com/dns-records/caa/

5. Muromec ◴[01 Dec 24 10:21 UTC] No.42287529[source]
If the government says you need to use their CA, you may feel the feelings, but you will still use them
replies(1): >>42298170 #
6. bawolff ◴[02 Dec 24 01:38 UTC] No.42292286[source]
Just need to DoS the revocation server right before your digital signature is checked.
7. syncsynchalt ◴[02 Dec 24 02:31 UTC] No.42292557[source]
CAA records rely on the CAs to respect them, and this is an article about how a CA has issued a cert in violation of a CAA record.
replies(1): >>42292602 #
8. perching_aix ◴[02 Dec 24 02:41 UTC] No.42292602{3}[source]
Oh right, for some reason I was under the impression that browsers utilize the record too.
9. KetoManx64 ◴[02 Dec 24 17:14 UTC] No.42298170{3}[source]
What would stop me from purging all this CA's certificates from my computet?