←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 4 comments | 30 Nov 24 21:35 UTC | HN request time: 0.665s | source
Show context
II2II ◴[01 Dec 24 04:22 UTC] No.42286175[source]
Tangentially related:

The system is deeply flawed, which is something I realized fifteen years ago when I was put into a situation where I had to use online banking. (Had to being the nearest branch of any bank was an hour long flight away, though there was an ice road you could use in the winter.) One of my first questions of the bank was: who issued their certificate. They didn't have a clue what I was talking about. I suppose I could have pushed the question until I found someone who did know, but I also realized that a random person asking about security would be flagged as suspicious. The whole process was based upon blind trust. Not just trust in the browser vendors to limit themselves to reputable CA, but of the CAs themselves and their procedures/policies, and who knows what else.

replies(3): >>42286178 #>>42286351 #>>42287417 #
1. JumpCrisscross ◴[01 Dec 24 04:23 UTC] No.42286178[source]
> One of my first questions of the bank was: who issued their certificate

…what did the certificate say?

> whole process was based upon blind trust

If I offer someone a ride and they start quizzing me on what differential I’m driving, I’m going to ignore them. That isn’t requiring blind trust, it’s just the wrong place and way to get the information you’re asking for.

replies(1): >>42286881 #
2. salawat ◴[01 Dec 24 07:36 UTC] No.42286881[source]
The problem with that analogy is that the cert issuer isn't a mere component of the car, but the entire car in this instance. That cert being trustworthy is the entire point.

When I was in schooling getting filled in on Web of Trust, I about ground that particular day's class to a halt because I couldn't imagine the world was that cavalier on such a thing.

Lo and behold, I realized shortly afterward it absolutely was the case, and there was nada I could do to change it except figure out how to get normal people universally fluent and invested in basic cryptography so they could manage their own trust networks. You can imagine how well that's gone.

replies(2): >>42287409 #>>42287478 #
3. ◴[01 Dec 24 09:53 UTC] No.42287409[source]
4. JumpCrisscross ◴[01 Dec 24 10:10 UTC] No.42287478[source]
> problem with that analogy is that the cert issuer isn't a mere component of the car, but the entire car in this instance

I'm critising OP for castiglating a bank employee for not knowing who their CA is. That's not something a line employee needs to know. And that's not the appropriate way to ask that.

If I want to know who issued HN's certificate, I don't e-mail a YC associate. I look at my browser and see it's Let's Encrypt.