←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 7 comments | 30 Nov 24 21:35 UTC | HN request time: 0.813s | source | bottom
Show context
danpalmer ◴[01 Dec 24 00:47 UTC] No.42285229[source]
This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
replies(8): >>42285389 #>>42285408 #>>42285431 #>>42285622 #>>42286061 #>>42286142 #>>42286897 #>>42287654 #
justinclift ◴[01 Dec 24 07:41 UTC] No.42286897[source]
> an even worse look for Microsoft.

Microsoft have a terrible reputation for security, which they've earned through doing stuff like this.

It's not likely to get any better any time soon either, as their trajectory is still pointed downwards.

replies(2): >>42287058 #>>42291038 #
1. danpalmer ◴[01 Dec 24 08:20 UTC] No.42287058[source]
I don’t know enough to comment on that reputation, but this surprises me. They’re known for being great at serving and selling to the enterprise, frequently at the expense of end users, and big enterprises/govts care a lot about security usually. Even if much of that caring is box ticking rather than actually looking into the security (hello ISO27001), you’d expect it to result in generally a security conscious culture.
replies(5): >>42287133 #>>42287137 #>>42287457 #>>42287540 #>>42287558 #
2. outworlder ◴[01 Dec 24 08:39 UTC] No.42287133[source]
It's hit and miss.

They have one of the largest cyber security operations worldwide and regularly track and dismantle criminal operations. There's some great people working there.

Then there's Azure. Which is used by large organizations and you would expect it to have the utmost care when it comes to security. But it often does badly, in several instances it allowed different tenants to access information from one another, something unheard of on AWS. For example: https://www.securityweek.com/microsoft-patches-azure-cross-t... or https://www.theregister.com/2024/06/05/tenable_azure_flaw/ or https://borncity.com/win/2023/08/03/microsoft-as-a-security-...

There are so many cross tenant vulnerabilities that there could be some overlap in those URLs, and it's a bit late at night for me to read those carefully, but you get the idea.

They do get the most flak about Windows, which used to be a non networked, single user OS.

3. cassianoleal ◴[01 Dec 24 08:41 UTC] No.42287137[source]
> Even if much of that caring is box ticking rather than actually looking into the security (hello ISO27001), you’d expect it to result in generally a security conscious culture.

If the whole value is in ticking the box, why would that develop a culture that values anything more than the tick?

replies(1): >>42287324 #
4. antonvs ◴[01 Dec 24 09:34 UTC] No.42287324[source]
The cycle usually goes something like box ticking, complacency, security scare, remediation, rinse and repeat.
5. justinclift ◴[01 Dec 24 10:05 UTC] No.42287457[source]
> but this surprises me

Unfortunately, it's true. People used to relying on Microsoft understandably don't want it to be so, so they're in for a rough time trying to figure out actually workable alternatives. :(

This has been an ongoing problem for years, and every time some new problem is found Microsoft just trots out the PR promises that they'll do better. Without then doing any better.

https://arstechnica.com/information-technology/2022/10/how-a... (2022)

https://arstechnica.com/security/2023/08/microsoft-cloud-sec... (2023)

https://arstechnica.com/information-technology/2024/04/micro... (2024)

For the US government's official perspective on Microsoft's security competence, there's the federal Cyber Safety Review Board report released in April this year:

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review... (2024)

  "Throughout this review, the board identified a series of
  Microsoft operational and strategic decisions that collectively
  points to a corporate culture that deprioritized both enterprise
  security investments and rigorous risk management," the report
  reads.
And so on.

Note that the problems didn't start in 2022, that's just the earliest I could be bothered looking with minimal effort. ;)

6. Muromec ◴[01 Dec 24 10:24 UTC] No.42287540[source]
That's the problem, the only security culture it produces is thinking of security as annoying box ticking.
7. jajko ◴[01 Dec 24 10:29 UTC] No.42287558[source]
Company pushing constant snooping of all activity of users even on professional/enterprise variants of their OS can't be taken seriously re security, so absolutely no idea where this rumor 'They’re known for being great at serving and selling to the enterprise' comes from.

They may be good when luring in customers, but once thats done, they don't give a fuck about anything but their current cash flow. And the fact that ultra-big players can ask them for customized OS distribution that has this turned off (just like my own mega corporation) doesn't change anything on statements above.