←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.268s | source
Show context
leonidasv ◴[01 Dec 24 01:49 UTC] No.42285504[source]
ICP-Brasil officially stopped emitting public-facing SSL/TLS certificates in October: https://www.gov.br/iti/pt-br/assuntos/noticias/indice-de-not...

This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good.

replies(2): >>42285566 #>>42293773 #
TheRealPomax[dead post] ◴[01 Dec 24 02:04 UTC] No.42285566[source]
[flagged]
semitones ◴[01 Dec 24 02:23 UTC] No.42285642[source]
Do you actually understand what's going here?
replies(3): >>42285674 #>>42286202 #>>42291449 #
raincole ◴[01 Dec 24 04:30 UTC] No.42286202[source]
As someone who doesn't understand what's actually going on: could someone ELI5?
replies(1): >>42286322 #
saagarjha ◴[01 Dec 24 05:04 UTC] No.42286322[source]
CAs are in the business of being a trusted third party that, among other things, verifies the identity of things. In this case someone seems to have scammed/hacked/whatever the CA into issuing a certificate for google.com, which is clearly bogus. So the result is that we should not trust this CA anymore.
replies(1): >>42286378 #
raincole ◴[01 Dec 24 05:17 UTC] No.42286378[source]
But why would someone hacked a CA to just... issue a certificate for google.com? How does it benifit them? I'd imagine they issue a certficate for some phishing sites or something.
replies(3): >>42286420 #>>42286833 #>>42286895 #
1. salawat ◴[01 Dec 24 07:22 UTC] No.42286833[source]
So... Think of it like this. All of us have tried to shield users from having to develop or maintain their own trust networks. It's a hell of a lot of work. And it isn't sexy. These CA's are basically that implementation. They have been programmed in by default on most devices to be trusted, and changing that status after the fact is very hard.

The reason someone would want to to be able to issue one of these certs is it essentially allows them to eavesdrop on normally unreadable connection data because the device thinks the system in the middle is actually a trustworthy endpoint, and not a malicious TLS terminating proxy.

No one whose devices are by default trusting that CA now have any guarantee of confidentiality on any connection to a system presenting those issued certs.