(follow.agwa.name)

482 points sanqui | 2 comments | 30 Nov 24 21:35 UTC | HN request time: 0.001s | source

Show context

noitpmeder ◴[01 Dec 24 01:02 UTC] No.42285295[source]▶

Not clear (to me) in the original post -- was this done accidentally or intentionally?

replies(4): >>42285340 #>>42285374 #>>42285593 #>>42285609 #

woodson ◴[01 Dec 24 02:15 UTC] No.42285609[source]▶

As a CA, how does one accidentally issue a certificate for google.com? I mean, is there a scenario that isn't malicious?

replies(3): >>42285625 #>>42286101 #>>42288078 #

tptacek ◴[01 Dec 24 02:19 UTC] No.42285625[source]▶

>>42285609 #

Yes, if the interception system involved was meant only for resources within Brazil’s own agency networks.

replies(2): >>42285842 #>>42286581 #

lxgr ◴[01 Dec 24 03:07 UTC] No.42285842[source]▶

>>42285625 #

But that's not allowed for publicly trusted roots under any circumstances, right? Not sure if that would qualify as an accident.

replies(1): >>42285964 #

foota ◴[01 Dec 24 03:33 UTC] No.42285964[source]▶

>>42285842 #

I think the parent is saying that if they meant to use the cert only internally (e.g., to monitor employees) then that would arguably not be malicious.

replies(4): >>42285966 #>>42286063 #>>42286215 #>>42286226 #

1. lxgr ◴[01 Dec 24 03:34 UTC] No.42285966{3}[source]▶

>>42285964 #

Not malicious, but also not exactly purely accidental, i.e. as part of some otherwise totally legitimate activity.

replies(1): >>42289711 #

2. foota ◴[01 Dec 24 18:05 UTC] No.42289711[source]▶

>>42285966 (TP) #

I think the accidental part would be in the scope. I'm not an expert on these things, but they could have intended to create a self signed cert only valid within the scope of their IT, but accidentally created one from their CA.

↑

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com