←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0s | source
Show context
8organicbits ◴[01 Dec 24 03:23 UTC] No.42285913[source]
Microsoft seems to be casual about trusting CAs, isn't transparent in their inclusion decisions, and their trust store is quite large. Any reasonable website would only use a certificate trusted by a quorum of browsers (especially Chrome), so the benefit of the extraneous CAs seems low.

I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.

replies(2): >>42286093 #>>42286332 #
throwaway2037 ◴[01 Dec 24 05:06 UTC] No.42286332[source]

    > Microsoft seems to be casual about trusting CAs
Woah, that is a bold statement. Classic HN overreach. I am not here to shill for MSFT, but, in terms of OS sales to gov'ts, no one else has nearly the same level of experience. I am sure that MSFT carefully vets all CA additions.

Are you aware of the big hack on Netherlands govt-approved CA? Read about: DigiNotar. My point: That was a widely trusted CA that was hacked after the root CA cert was added to most browsers / OSes trust stores. So would you say that MSFT was "casual" about trusting DigiNotar root CA? How about Mozilla Firefox? I doubt it.

replies(5): >>42286437 #>>42286493 #>>42286500 #>>42286910 #>>42287959 #
1. lelandbatey ◴[01 Dec 24 07:42 UTC] No.42286910[source]
> ... In terms of OS sales to gov'ts, no one else has nearly the same level of experience. I am sure that MSFT carefully vets all CA additions.

I don't think those two things have anything to do with each other. Living in Redmond for my entire life has mostly shown me that MS owns one of the best and most lucrative sales orgs and sales channels in the world. That sales channel means they can sell to governments better than nearly anyone one the planet, no matter what their security practices are like.