Most active commenters
  • alganet(6)
  • JumpCrisscross(3)

←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 14 comments | 30 Nov 24 21:35 UTC | HN request time: 0.001s | source | bottom
Show context
danpalmer ◴[01 Dec 24 00:47 UTC] No.42285229[source]
This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
replies(8): >>42285389 #>>42285408 #>>42285431 #>>42285622 #>>42286061 #>>42286142 #>>42286897 #>>42287654 #
move-on-by ◴[01 Dec 24 01:32 UTC] No.42285431[source]
Also being issued on a major US holiday- when many are on PTO- does not help with the look.
replies(1): >>42285701 #
1. alganet ◴[01 Dec 24 02:37 UTC] No.42285701[source]
During carnival we brazillians often take 3 or 4 days leave.

Would it be fair during that time if I asked you to hold your PRs, bug tickets and work in general because we're on paid leave?

On-call rotation exists for those reasons. Otherwise, all countries would need to respect all other countries holidays.

In fact, we're not even aware of most US holidays. It is likely to be a coincidence.

replies(6): >>42286029 #>>42286059 #>>42286108 #>>42286214 #>>42286300 #>>42286357 #
2. lmm ◴[01 Dec 24 03:48 UTC] No.42286029[source]
> Would it be fair during that time if I asked you to hold your PRs, bug tickets and work in general because we're on paid leave?

Yes. That's completely normal for companies that do business with Brazil.

replies(1): >>42286187 #
3. bogota ◴[01 Dec 24 03:55 UTC] No.42286059[source]
Have you never worked at a multinational company?
replies(1): >>42286152 #
4. noirbot ◴[01 Dec 24 04:06 UTC] No.42286108[source]
For as big a country as Brazil? Totally. I've worked at companies that had minor code freezes for all sorts of holidays in countries we had a big client presence in, specifically to avoid releasing changes to client that wouldn't have engineers in-office to adapt to them.
5. alganet ◴[01 Dec 24 04:16 UTC] No.42286152[source]
I did, multiple times with multiple countries. All of them had some sort of call rotation. Someone was always at the helm, _specially_ in infrastructure and security.

There are whole startups designed to solve this, like PagerDuty.

I am now very curious to understand where your question comes from. There must be some misunderstanding here. You never went on-call or seen a friend do it?

replies(1): >>42286186 #
6. JumpCrisscross ◴[01 Dec 24 04:26 UTC] No.42286186{3}[source]
> You never went on-call or seen a friend do it?

Red herring [1].

OP said it’s malicious or incompetent to release this on a U.S. holiday weekend. You asked if similar consideration would be given to Brazil. Multiple people chimed in that it would. You’re now pivoting to on-call capacity.

Any amount of on-call capacity can be saturated. That’s why competent multinationals avoid releasing while markets they’re likely to impact are sleeping or drunk. This is a high-level scheduling operation, however, so it’s reasonable for those lower in the organisation to be unaware why an update is being pushed next Tuesday instead of this.

[1] https://en.m.wikipedia.org/wiki/Red_herring

replies(1): >>42286191 #
7. alganet ◴[01 Dec 24 04:26 UTC] No.42286187[source]
Sorry, my example was bad.

In fact, your example is perfect. We're not talking about business. CAs are different.

In security and infrastructure, there's always someone working on holidays. The larger the organization, higher are the chances that some kind of rotation exists.

8. alganet ◴[01 Dec 24 04:28 UTC] No.42286191{4}[source]
You can totally ignore the red herring and focus on the first part. In the end I was just paraphrasing the comment I replied to.

Rotations exist, specially in large organizations, or when there's shared responsibility.

Now we're talking nonsense about "you said, he said", this conversation makes no sense. I am much less invested in this than you think.

replies(1): >>42286205 #
9. JumpCrisscross ◴[01 Dec 24 04:30 UTC] No.42286205{5}[source]
> Rotations exist

Straw man [1]. Nobody claimed otherwise.

Rotation or always-on isn’t a substitute for being aware of your customers. Good culture permeate this throughout the organisation. Competent ones have someone at the top ensuring controls are followed.

[1] https://en.m.wikipedia.org/wiki/Straw_man

replies(1): >>42286268 #
10. JumpCrisscross ◴[01 Dec 24 04:33 UTC] No.42286214[source]
> we're not even aware of most US holidays

You’re not. Someone above you should be. Otherwise that’s incompetence.

11. alganet ◴[01 Dec 24 04:47 UTC] No.42286268{6}[source]
Sorry, I lost the track.

Can you explain the point you made precisely, in the context of the original subject?

12. move-on-by ◴[01 Dec 24 04:58 UTC] No.42286300[source]
My comment is not about how all work should stop during US holidays.

What I’m attempting to refer to, is that _if_ this was done with malicious intent, then maybe the hope was that doing it during a holiday would reduce response time or allow it to fly under the radar. Of course, as you say, just because it was a holiday does not inherently mean it’s malicious, it has plausible deniability.

replies(1): >>42286376 #
13. ◴[01 Dec 24 05:12 UTC] No.42286357[source]
14. alganet ◴[01 Dec 24 05:17 UTC] No.42286376[source]
What I actually said is that I believe that the notion of a holiday "hiding" these activities is naive. I don't think it makes any difference.

I don't know if there's a rotation or another system. I think there are probably multiple across different parties responsible for maintaining CA trust.