←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.34s | source
Show context
sabbaticaldev ◴[01 Dec 24 01:37 UTC] No.42285451[source]
Can someone explain what could be done with that and by whom?
replies(4): >>42285493 #>>42285508 #>>42285512 #>>42286140 #
woofcat ◴[01 Dec 24 01:51 UTC] No.42285512[source]
Whomever has this fake certificate can run a server and say it's google.com and windows will say "yep you are" with the little green lock.
replies(2): >>42285605 #>>42287273 #
bufferoverflow ◴[01 Dec 24 02:13 UTC] No.42285605[source]
The certificate is for a specific IP address, no?

And without DNS pointing google.com to that IP address, it's pretty useless.

replies(3): >>42285639 #>>42286509 #>>42287444 #
zer0x4d ◴[01 Dec 24 02:23 UTC] No.42285639[source]
Nope, certificates are issued for CNs(Common Name), also known as FQDNs (Fully qualified domain names). Something such as *.google.com, not IP addresses.

If they were issued for IP addresses they would have to reissue the certificate every time they spun up a new server. Also it's why if you spin up another server and make DNS point google.com to that server, it would not pass verification since the certificate you will be using on that server is not issued to *.google.com, but rather some other domain you own. The IP address plays no role in certificates.

replies(2): >>42285695 #>>42285748 #
1. colanderman ◴[01 Dec 24 02:47 UTC] No.42285748[source]
Nit: a CN (stored in the Subject field of a cert) is not an FQDN, though historically web browsers treated them as such. This practice is now deprecated. Modern practice is for the domain name(s) to be placed in the Subject Alternative Name (SAN) field.

The Subject field is not consulted so long as the SAN field is present, and can in theory be any X.500 Distinguished Name, of which Common Name is one possible attribute, which may be any freeform string of a limited length (though it is typically set to the primary domain the cert is issued for, for easy identification).