A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)

482 points sanqui | 2 comments | 30 Nov 24 21:35 UTC | HN request time: 0.511s | source

Show context

8organicbits ◴[01 Dec 24 03:23 UTC] No.42285913[source]▶

Microsoft seems to be casual about trusting CAs, isn't transparent in their inclusion decisions, and their trust store is quite large. Any reasonable website would only use a certificate trusted by a quorum of browsers (especially Chrome), so the benefit of the extraneous CAs seems low.

I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.

replies(2): >>42286093 #>>42286332 #

throwaway2037 ◴[01 Dec 24 05:06 UTC] No.42286332[source]▶

>>42285913 #

    > Microsoft seems to be casual about trusting CAs

Woah, that is a bold statement. Classic HN overreach. I am not here to shill for MSFT, but, in terms of OS sales to gov'ts, no one else has nearly the same level of experience. I am sure that MSFT carefully vets all CA additions.

Are you aware of the big hack on Netherlands govt-approved CA? Read about: DigiNotar. My point: That was a widely trusted CA that was hacked after the root CA cert was added to most browsers / OSes trust stores. So would you say that MSFT was "casual" about trusting DigiNotar root CA? How about Mozilla Firefox? I doubt it.

replies(5): >>42286437 #>>42286493 #>>42286500 #>>42286910 #>>42287959 #

1. 8organicbits ◴[01 Dec 24 05:31 UTC] No.42286437[source]▶

>>42286332 #

I'm very aware of DigiNotar, I wrote a blog post last year that discusses DigiNotar and even mentions Brazil/ITI [1].

A challenge for Microsoft is that they aren't transparent in their inclusion decisions, so we can only speculate why they chose to trust this CA. What gives you confidence that Microsoft is doing careful vetting?

In stark contrast, Mozilla publicly and extensively documented why they didn't trust this CA [2].

[1] https://alexsci.com/blog/ca-trust/

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=438825

replies(1): >>42286976 #

2. eschatology ◴[01 Dec 24 07:59 UTC] No.42286976[source]▶

>>42286437 (TP) #

That bugzilla thread was quite a read! Thank you for sharing

↑