←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 6 comments | 30 Nov 24 21:35 UTC | HN request time: 1.131s | source | bottom
Show context
resters ◴[01 Dec 24 01:46 UTC] No.42285484[source]
The simple solution would be to have independent entities offer trust assertions about CAs and to allow users to consider multiple entities' views in their decision about whether to trust. It's surprising this doesn't exist yet when the attack vector is so clear.
replies(3): >>42285498 #>>42285693 #>>42289535 #
tptacek ◴[01 Dec 24 01:49 UTC] No.42285498[source]
This is something more akin to a client software bug than a WebPKI issue. Any alternative PKI scheme you could come up with would still be subject to Microsoft cutting deals.
replies(2): >>42286165 #>>42286184 #
8organicbits ◴[01 Dec 24 04:24 UTC] No.42286184[source]
Can you explain?

I think the parent is suggesting that users should be able to tune their trust stores. I'd imagine that trusting only the CAs that are in all the major trust stores (Google, Microsoft, Mozilla, and Apple) would be a reasonable policy. Few websites would choose a CA that falls outside that group.

replies(1): >>42286223 #
1. tptacek ◴[01 Dec 24 04:35 UTC] No.42286223[source]
Users can tune their own trust stores.
replies(1): >>42286261 #
2. 8organicbits ◴[01 Dec 24 04:46 UTC] No.42286261[source]
Is there a way to do it that isn't tedious? I'm not familiar with tooling beyond the UI browsers offer, which doesn't match the experience I was trying to describe.
replies(2): >>42287346 #>>42297263 #
3. salawat ◴[01 Dec 24 09:38 UTC] No.42287346[source]
I mean... It's as easy as getting SSL certs and importing them into a trust store/adding them to a directory.

The hard part is getting the people you want to establish a trust relationship with to give you a copy of their key. Web of Trust was the answer to logistical key distribution problem. The idea being there would be an organization that would vet people and vouchsafe their cryptographic material for everyone else.

The problem of course, is that the more invisible this is to users, and the more unintuitive the actual mechanics, the more valuable cracking the CA's becomes for hostile actors because of the ensuing blast radius compared to the boast radius that would result from theoretically getting the practice of key exchange in the public, and getting them to internalize the act of creating their own trust networks.

Of course, if you have dreams or fantasies of being able to control people, none of the work that goes into educating the populace is ever going to be endorsed, because once everyone realizes that they can at least assure their own safety by not delegating their cryptography, the entire idea of eacesdropping as a third-party by tapping the line is unmade. Which is not a popular state of affairs universally.

replies(1): >>42288633 #
4. 8organicbits ◴[01 Dec 24 14:35 UTC] No.42288633{3}[source]
Web of trust is way more ambitious than what I'm talking about. Key distribution for the Apple, Microsoft, Google, and Mozilla trust stores is already a solved problem and works well at scale already.

However, if you don't trust the inclusive nature of Microsoft's trust store and prefer Chrome's, there should be a tool to swap out trust stores. I don't think such a tool exists yet.

replies(1): >>42293799 #
5. resters ◴[02 Dec 24 07:01 UTC] No.42293799{4}[source]
Right. I'm imagining a tool that would let users impose choices such as the following:

- Accept any certs trusted by Bruce Schneier unless they are not trusted by tptacec

- Do not accept new certs for top 1000 domain names unless they are over 7 days old and trusted by the Mozlla Foundation

Various experts could create the rules they use to decide which certs or CAs they trust and users could decide which high profile authority figures or institutions they want to trust. One example might even be "Bruce Schneier paranoid version"

I think this doesn't exist because of the following:

1) technically it is possible to do it today with the existing tools, even though nobody does it

2) the negative impact of trusting certs one shouldn't is low for the average user

3) sophisticated users already take precautions and are rarely fooled

I think for something like this to work it would have to be extremely simple. Surely there would be the same phenomenon as "Dr. Oz" in the realm of cyber secruity. Maybe the 'Kevin Rose settings" would be popular, etc. But that would still open the door to distributed trust which is an improvement over blanket trust of large corporate entities.

6. dadrian ◴[02 Dec 24 15:44 UTC] No.42297263[source]
The next version of Chrome introduces a whole UI for this at chrome://certificate-manager.