←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.234s | source
Show context
resters ◴[01 Dec 24 01:46 UTC] No.42285484[source]
The simple solution would be to have independent entities offer trust assertions about CAs and to allow users to consider multiple entities' views in their decision about whether to trust. It's surprising this doesn't exist yet when the attack vector is so clear.
replies(3): >>42285498 #>>42285693 #>>42289535 #
1. will4274 ◴[01 Dec 24 17:34 UTC] No.42289535[source]
It'd be a simple enough browser plugin to build - a tool that checks multiple trust stores when rendering a page. Probably it already exists.

The problem is between the keyboard and the chair. Users struggle to understand SSL already. Browsers decided that the distinctions between EV, DV, and OV were too complex and hid them. What will your grandmother think when she opens up her bank and your browser plugin shows a greenish yellow trust indicator because the cert is trusted by Google, Apple, and Microsoft, but not Mozilla?

Unfortunately, trust is binary. Your grandmother click on the bank bookmark and either sees her banking websites or sees a scary warning.