←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.211s | source
Show context
danpalmer ◴[01 Dec 24 00:47 UTC] No.42285229[source]
This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
replies(8): >>42285389 #>>42285408 #>>42285431 #>>42285622 #>>42286061 #>>42286142 #>>42286897 #>>42287654 #
raincole ◴[01 Dec 24 04:14 UTC] No.42286142[source]
How bad is it? (Genuine question from me who lacks cybersecurity knowledge)
replies(2): >>42286694 #>>42292324 #
1. retrodaredevil ◴[01 Dec 24 06:39 UTC] No.42286694[source]
Let's assume that some malicious third party has control of the certificate that was created by this fishy CA. The main attack that they could carry out is a man in the middle (MitM) attack. This attack requires this malicious third party to be able to intercept and change the contents of requests being sent to google.com and someone's web browser.

A MitM attack can be easily carried out by someone in control of an ISP, or someone in control of a WiFi network. So, if you trust your ISP and your WiFi network, realistically you have nothing to worry about.

The reason that this issued certificate could allow an attack like this to happen is because all websites nowadays use HTTPS connections, and certificate authorities are the entities that tell your web browser that certain certificates are legit. They confirm that a website is actually that website.

If you visit some website and someone tries to do a MitM attack between your web browser and that website, the web page should fail to load because if they try to change the certificate, your web browser should reject it because it is invalid.