A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)

482 points sanqui | 2 comments | 30 Nov 24 21:35 UTC | HN request time: 1.124s | source

Show context

sabbaticaldev ◴[01 Dec 24 01:37 UTC] No.42285451[source]▶

>>42284202 (OP) #

Can someone explain what could be done with that and by whom?

replies(4): >>42285493 #>>42285508 #>>42285512 #>>42286140 #

woofcat ◴[01 Dec 24 01:51 UTC] No.42285512[source]▶

>>42285451 #

Whomever has this fake certificate can run a server and say it's google.com and windows will say "yep you are" with the little green lock.

replies(2): >>42285605 #>>42287273 #

bufferoverflow ◴[01 Dec 24 02:13 UTC] No.42285605[source]▶

>>42285512 #

The certificate is for a specific IP address, no?

And without DNS pointing google.com to that IP address, it's pretty useless.

replies(3): >>42285639 #>>42286509 #>>42287444 #

zer0x4d ◴[01 Dec 24 02:23 UTC] No.42285639[source]▶

>>42285605 #

Nope, certificates are issued for CNs(Common Name), also known as FQDNs (Fully qualified domain names). Something such as *.google.com, not IP addresses.

If they were issued for IP addresses they would have to reissue the certificate every time they spun up a new server. Also it's why if you spin up another server and make DNS point google.com to that server, it would not pass verification since the certificate you will be using on that server is not issued to *.google.com, but rather some other domain you own. The IP address plays no role in certificates.

replies(2): >>42285695 #>>42285748 #

1. buzer ◴[01 Dec 24 02:36 UTC] No.42285695[source]▶

>>42285639 #

Certificates can be issued to IP addresses (at least on SAN level, not sure if they are allowed in CN in CA/B baseline requirements), like https://crt.sh/?id=15492507462

replies(1): >>42286041 #

2. Arrowmaster ◴[01 Dec 24 03:50 UTC] No.42286041[source]▶

>>42285695 (TP) #

That is different in context to what was being asked though.

↑