←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 2 comments | 30 Nov 24 21:35 UTC | HN request time: 0s | source
Show context
II2II ◴[01 Dec 24 04:22 UTC] No.42286175[source]
Tangentially related:

The system is deeply flawed, which is something I realized fifteen years ago when I was put into a situation where I had to use online banking. (Had to being the nearest branch of any bank was an hour long flight away, though there was an ice road you could use in the winter.) One of my first questions of the bank was: who issued their certificate. They didn't have a clue what I was talking about. I suppose I could have pushed the question until I found someone who did know, but I also realized that a random person asking about security would be flagged as suspicious. The whole process was based upon blind trust. Not just trust in the browser vendors to limit themselves to reputable CA, but of the CAs themselves and their procedures/policies, and who knows what else.

replies(3): >>42286178 #>>42286351 #>>42287417 #
1. echoangle ◴[01 Dec 24 09:54 UTC] No.42287417[source]
How does knowing the issuer of the certificate tell you anything if any CA can make certificates for your bank domain? If the answer was „sure, we use GlobalSign“, is that good or bad? If the Brazilian CA is malicious, they can still MITM you, right?

(Assuming certificate pinning doesn’t exist, which was the case 10 years ago and is true now, too)

replies(1): >>42291016 #
2. II2II ◴[01 Dec 24 21:55 UTC] No.42291016[source]
If my bank uses "GlobalSign" and my browser says "Brazilian CA", I know something is wrong. Granted, such a discrepancy would have been more noticeable back then since the lock icon had the issuer displayed next to it. Now I have to click the lock, then select a menu item to get that information. And, if I'm feeling particularly paranoid, it takes 5 clicks to review the certificate. (At least in Firefox.)

If the bank is unable to tell me which CA they use through a trusted channel, the only way I could tell if there is a problem is if the CA changes.