←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0s | source
Show context
8organicbits ◴[01 Dec 24 03:23 UTC] No.42285913[source]
Microsoft seems to be casual about trusting CAs, isn't transparent in their inclusion decisions, and their trust store is quite large. Any reasonable website would only use a certificate trusted by a quorum of browsers (especially Chrome), so the benefit of the extraneous CAs seems low.

I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.

replies(2): >>42286093 #>>42286332 #
throwaway2037 ◴[01 Dec 24 05:06 UTC] No.42286332[source]

    > Microsoft seems to be casual about trusting CAs
Woah, that is a bold statement. Classic HN overreach. I am not here to shill for MSFT, but, in terms of OS sales to gov'ts, no one else has nearly the same level of experience. I am sure that MSFT carefully vets all CA additions.

Are you aware of the big hack on Netherlands govt-approved CA? Read about: DigiNotar. My point: That was a widely trusted CA that was hacked after the root CA cert was added to most browsers / OSes trust stores. So would you say that MSFT was "casual" about trusting DigiNotar root CA? How about Mozilla Firefox? I doubt it.

replies(5): >>42286437 #>>42286493 #>>42286500 #>>42286910 #>>42287959 #
anothernewdude ◴[01 Dec 24 05:48 UTC] No.42286493[source]
> I am sure that MSFT carefully vets all CA additions.

I'm sure that Microsoft carefully ensure they're paid for all CA additions.

Given their monopoly there is no incentive for vetting.

replies(1): >>42287994 #
1. tialaramex ◴[01 Dec 24 12:03 UTC] No.42287994[source]
I'm pretty sure there isn't a fee. Somebody from ISRG (the people who brought you Let's Encrypt) might be able to state categorically that there was no fee charged by Microsoft, obviously it's not free in practice to spin up a decent Certificate Authority, but that's not the same thing as Microsoft charging a fee.

For these government CAs my expectation is that they're a sort of quid pro quo and (wrongly) not seen as a security problem.