←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 3 comments | 30 Nov 24 21:35 UTC | HN request time: 0.567s | source
Show context
danpalmer ◴[01 Dec 24 00:47 UTC] No.42285229[source]
This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
replies(8): >>42285389 #>>42285408 #>>42285431 #>>42285622 #>>42286061 #>>42286142 #>>42286897 #>>42287654 #
1. raincole ◴[01 Dec 24 04:14 UTC] No.42286142[source]
How bad is it? (Genuine question from me who lacks cybersecurity knowledge)
replies(2): >>42286694 #>>42292324 #
2. retrodaredevil ◴[01 Dec 24 06:39 UTC] No.42286694[source]
Let's assume that some malicious third party has control of the certificate that was created by this fishy CA. The main attack that they could carry out is a man in the middle (MitM) attack. This attack requires this malicious third party to be able to intercept and change the contents of requests being sent to google.com and someone's web browser.

A MitM attack can be easily carried out by someone in control of an ISP, or someone in control of a WiFi network. So, if you trust your ISP and your WiFi network, realistically you have nothing to worry about.

The reason that this issued certificate could allow an attack like this to happen is because all websites nowadays use HTTPS connections, and certificate authorities are the entities that tell your web browser that certain certificates are legit. They confirm that a website is actually that website.

If you visit some website and someone tries to do a MitM attack between your web browser and that website, the web page should fail to load because if they try to change the certificate, your web browser should reject it because it is invalid.

3. bawolff ◴[02 Dec 24 01:47 UTC] No.42292324[source]
Well now that everyone knows about it, its a whole lot less bad.

The bad certificate was caught, and caught quickly. The system works.

It is a bit like if airport security catches someone who wanted to bomb a plane. Yes the immediate gut reaction is that is terrible, but if you think about it for a bit its actually reassuring, since its proof the safe guards worked.