←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 2 comments | 30 Nov 24 21:35 UTC | HN request time: 0.55s | source
Show context
danpalmer ◴[01 Dec 24 00:47 UTC] No.42285229[source]
This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
replies(8): >>42285389 #>>42285408 #>>42285431 #>>42285622 #>>42286061 #>>42286142 #>>42286897 #>>42287654 #
jsheard ◴[01 Dec 24 01:23 UTC] No.42285389[source]
What is even the point of a web CA that isn't trusted by all of the major players? Is there one?
replies(3): >>42285424 #>>42285444 #>>42285550 #
tialaramex ◴[01 Dec 24 01:36 UTC] No.42285444[source]
These are generally government CAs, so, typically the situation is Microsoft sold the government Windows, and as part of that deal (at least tacitly) agreed to the CA being trusted, and so every system that's trusting these certificates is a Windows PC anyway, running Edge because the whole point was the government will only use Windows and pays Microsoft $$$.

Why bake it into everybody else's Windows? If you make say a Brazil Government-only Windows which trusts this CA instead, I guarantee somebody crucial in Brazil will buy a 3rd party Windows laptop independently and it doesn't work with this CA's certificates and that ends up as Microsoft's problem to fix, so, easier to just have every Windows device trust the CA.

They'll have an assurance from the CA that it won't do this sort of crap, and that's enough, plausible deniability. Microsoft will say they take this "very seriously" and do nothing and it'll blow over. After all this stuff happened before and it'll happen again, and Windows will remain very popular.

replies(4): >>42285464 #>>42285561 #>>42285818 #>>42285942 #
awinter-py ◴[01 Dec 24 02:03 UTC] No.42285561[source]
what's the state's interest in having their CA built into windows?
replies(7): >>42285580 #>>42285679 #>>42285705 #>>42285808 #>>42285814 #>>42285837 #>>42286935 #
Onavo ◴[01 Dec 24 03:00 UTC] No.42285808[source]
So they can mitm their own employees without annoying TLS warnings.
replies(2): >>42286301 #>>42286950 #
throwaway2037 ◴[01 Dec 24 04:59 UTC] No.42286301[source]
To be clear, this is bog standard in all mega-corps now. They have a vendor product that provides HTTP Internet proxy, then they perform MitM to decrypt HTTPS traffic and re-sign/encrypt with in-house issued cert. Then, this cert is auto-trusted as part of all base OS installations. To be honest, how else can mega-corps spy on HTTPS traffic without this MitM tactic? I don't know any other way.
replies(1): >>42287372 #
echoangle ◴[01 Dec 24 09:44 UTC] No.42287372[source]
Yes, but normally this is done by making your own CA and installing it into your client devices, not by getting it into every device globally by working with Microsoft.
replies(1): >>42287586 #
hulitu ◴[01 Dec 24 10:36 UTC] No.42287586[source]
> Yes, but normally this is done by making your own CA and installing it into your client devices, not by getting it into every device globally by working with Microsoft.

Google, Facebook, Microsoft, Apple, Cloudfare, Godaddy, Lets encrypt. They all "work with Microsoft".

replies(1): >>42287643 #
echoangle ◴[01 Dec 24 10:48 UTC] No.42287643[source]
Does any employer get a certificate from any of the CAs you listed to MITM their internal networks?
replies(1): >>42288144 #
1. 3np ◴[01 Dec 24 12:38 UTC] No.42288144[source]
The listed companies are employers. I think they all have self-managed CAs.
replies(1): >>42288757 #
2. echoangle ◴[01 Dec 24 15:00 UTC] No.42288757[source]
Yes, but surely the listed companies don't use their public and globally trusted CAs to MITM their internal networks. I hope they have another internal CA to allow them to MITM their internal Network.