←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0s | source
Show context
leonidasv ◴[01 Dec 24 01:49 UTC] No.42285504[source]
ICP-Brasil officially stopped emitting public-facing SSL/TLS certificates in October: https://www.gov.br/iti/pt-br/assuntos/noticias/indice-de-not...

This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good.

replies(2): >>42285566 #>>42293773 #
TheRealPomax[dead post] ◴[01 Dec 24 02:04 UTC] No.42285566[source]
[flagged]
semitones ◴[01 Dec 24 02:23 UTC] No.42285642[source]
Do you actually understand what's going here?
replies(3): >>42285674 #>>42286202 #>>42291449 #
raincole ◴[01 Dec 24 04:30 UTC] No.42286202[source]
As someone who doesn't understand what's actually going on: could someone ELI5?
replies(1): >>42286322 #
saagarjha ◴[01 Dec 24 05:04 UTC] No.42286322[source]
CAs are in the business of being a trusted third party that, among other things, verifies the identity of things. In this case someone seems to have scammed/hacked/whatever the CA into issuing a certificate for google.com, which is clearly bogus. So the result is that we should not trust this CA anymore.
replies(1): >>42286378 #
raincole ◴[01 Dec 24 05:17 UTC] No.42286378[source]
But why would someone hacked a CA to just... issue a certificate for google.com? How does it benifit them? I'd imagine they issue a certficate for some phishing sites or something.
replies(3): >>42286420 #>>42286833 #>>42286895 #
1. tsimionescu ◴[01 Dec 24 07:41 UTC] No.42286895[source]
In short, whoever has that certificate can now come between your PC and the real Google, and tell your PC "here is the real google.com" while serving you malware, in a way that Windows will trust. You typed in google.com in the address bar, your browser got the attacker's IP, and then the attacker has a certificate that says they're the real google.com, so your browser will go "all right, all good".

Basically the way certificates work is that whoever has a certificate for a domain name will be able to serve anything they want and browsers will accept this is the real domain. To turn this into an attack, they just need to trick your DNS into pointing your to their machine, or to intercept your traffic even while you're accessing the real server.

Getting a certificate for "mytotallyrealnotascamwinkwink.phishing.com" is not useful in any way for an attacker: the whole idea is to have the user think they are on a trusted site like google.com, while in reality looking at the attacker's site.