←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 2 comments | 30 Nov 24 21:35 UTC | HN request time: 4.11s | source
Show context
noitpmeder ◴[01 Dec 24 01:02 UTC] No.42285295[source]
Not clear (to me) in the original post -- was this done accidentally or intentionally?
replies(4): >>42285340 #>>42285374 #>>42285593 #>>42285609 #
woodson ◴[01 Dec 24 02:15 UTC] No.42285609[source]
As a CA, how does one accidentally issue a certificate for google.com? I mean, is there a scenario that isn't malicious?
replies(3): >>42285625 #>>42286101 #>>42288078 #
tptacek ◴[01 Dec 24 02:19 UTC] No.42285625[source]
Yes, if the interception system involved was meant only for resources within Brazil’s own agency networks.
replies(2): >>42285842 #>>42286581 #
lxgr ◴[01 Dec 24 03:07 UTC] No.42285842[source]
But that's not allowed for publicly trusted roots under any circumstances, right? Not sure if that would qualify as an accident.
replies(1): >>42285964 #
foota ◴[01 Dec 24 03:33 UTC] No.42285964[source]
I think the parent is saying that if they meant to use the cert only internally (e.g., to monitor employees) then that would arguably not be malicious.
replies(4): >>42285966 #>>42286063 #>>42286215 #>>42286226 #
1. tptacek ◴[01 Dec 24 04:33 UTC] No.42286215[source]
It would not be malicious. I don't think there's a serious argument here (bearing in mind that in the airless vacuum of a message we can, of course, argue anything).

I don't know that's what happened here, though; there are malicious possible explanations!

replies(1): >>42289730 #
2. foota ◴[01 Dec 24 18:08 UTC] No.42289730[source]
I largely agree, although I think there's some part of a slippery slope specifically when it comes to government, since you could argue that a government monitoring its citizens is also not malicious since (in a democratic society) the government derives its mandate from the people.

This isn't too different from the argument that (I believe reasonably) applies for how a company has the right to monitor employees, but I think many people are opposed to even democratic governments monitoring people and would consider such use malicious.

So a government monitoring its employees is one step closer even than a company, since it's the same organization in this case (though again, I think it's largely reasonable for a government to monitor their employees).