/top/
/new/
/best/
/ask/
/show/
/job/
^
slacker news
login
about
←back to thread
A Brazilian CA trusted only by Microsoft has issued a certificate for google.com
(follow.agwa.name)
482 points
sanqui
| 2 comments |
30 Nov 24 21:35 UTC
|
HN request time: 0.42s
|
source
Show context
noitpmeder
◴[
01 Dec 24 01:02 UTC
]
No.
42285295
[source]
▶
>>42284202 (OP)
#
Not clear (to me) in the original post -- was this done accidentally or intentionally?
replies(4):
>>42285340
#
>>42285374
#
>>42285593
#
>>42285609
#
woodson
◴[
01 Dec 24 02:15 UTC
]
No.
42285609
[source]
▶
>>42285295
#
As a CA, how does one accidentally issue a certificate for google.com? I mean, is there a scenario that isn't malicious?
replies(3):
>>42285625
#
>>42286101
#
>>42288078
#
tptacek
◴[
01 Dec 24 02:19 UTC
]
No.
42285625
[source]
▶
>>42285609
#
Yes, if the interception system involved was meant only for resources within Brazil’s own agency networks.
replies(2):
>>42285842
#
>>42286581
#
lxgr
◴[
01 Dec 24 03:07 UTC
]
No.
42285842
[source]
▶
>>42285625
#
But that's not allowed for publicly trusted roots under any circumstances, right? Not sure if that would qualify as an accident.
replies(1):
>>42285964
#
foota
◴[
01 Dec 24 03:33 UTC
]
No.
42285964
[source]
▶
>>42285842
#
I think the parent is saying that if they meant to use the cert only internally (e.g., to monitor employees) then that would arguably not be malicious.
replies(4):
>>42285966
#
>>42286063
#
>>42286215
#
>>42286226
#
1.
grayhatter
◴[
01 Dec 24 03:55 UTC
]
No.
42286063
[source]
▶
>>42285964
#
> (e.g., to monitor employees) then that would arguably not be malicious.
If only there was a way to monitor company equipment without issuing a cert for a public 3rd party.
replies(1):
>>42289210
#
ID:
GO
2.
switch007
◴[
01 Dec 24 16:36 UTC
]
No.
42289210
[source]
▶
>>42286063 (TP)
#
AI screen monitoring right
↑