A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)

482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 1.448s | source

Show context

8organicbits ◴[01 Dec 24 03:23 UTC] No.42285913[source]▶

Microsoft seems to be casual about trusting CAs, isn't transparent in their inclusion decisions, and their trust store is quite large. Any reasonable website would only use a certificate trusted by a quorum of browsers (especially Chrome), so the benefit of the extraneous CAs seems low.

I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.

replies(2): >>42286093 #>>42286332 #

throwaway2037 ◴[01 Dec 24 05:06 UTC] No.42286332[source]▶

>>42285913 #

    > Microsoft seems to be casual about trusting CAs

Woah, that is a bold statement. Classic HN overreach. I am not here to shill for MSFT, but, in terms of OS sales to gov'ts, no one else has nearly the same level of experience. I am sure that MSFT carefully vets all CA additions.

Are you aware of the big hack on Netherlands govt-approved CA? Read about: DigiNotar. My point: That was a widely trusted CA that was hacked after the root CA cert was added to most browsers / OSes trust stores. So would you say that MSFT was "casual" about trusting DigiNotar root CA? How about Mozilla Firefox? I doubt it.

replies(5): >>42286437 #>>42286493 #>>42286500 #>>42286910 #>>42287959 #

1. cookiengineer ◴[01 Dec 24 05:51 UTC] No.42286500[source]▶

>>42286332 #

You are comparing a non publicly available trust chain (Microsoft's) with a public and transparent one (Mozilla's/Linux Foundation's) [1]

I don't see any reproducible builds for Microsoft Edge. Therefore, your statement is an assumption and nothing more. We can not trust Microsoft more because they are more proprietary.

[1] https://www.ccadb.org/

↑