A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)

482 points sanqui | 2 comments | 30 Nov 24 21:35 UTC | HN request time: 0.001s | source

Show context

sabbaticaldev ◴[01 Dec 24 01:37 UTC] No.42285451[source]▶

>>42284202 (OP) #

Can someone explain what could be done with that and by whom?

replies(4): >>42285493 #>>42285508 #>>42285512 #>>42286140 #

brianpan ◴[01 Dec 24 04:14 UTC] No.42286140[source]▶

>>42285451 #

It's not entirely about this particular certificate (although this is bad, too). This is about a certificate authority giving someone who is NOT Google, a certificate that can be used to "prove" a server is Google. Accidental or not, this should not happen.

The "blast radius" is limited to Microsoft since they are the only ones that trust this particular certificate authority. Your non-Microsoft browser won't trust these certs. Your non-Microsoft OS, Java program, etc. etc. won't trust these certs.

replies(1): >>42286704 #

xcrunner529 ◴[01 Dec 24 06:42 UTC] No.42286704[source]▶

>>42286140 #

Chrome uses the Windows trust store on Windows, IIRC.

replies(1): >>42291925 #

1. brianpan ◴[02 Dec 24 00:34 UTC] No.42291925[source]▶

>>42286704 #

I dug a little and apparently Chrome previously used the trust store of the platform but has now transitioned away from that to use their own. https://blog.chromium.org/2022/09/announcing-launch-of-chrom...

But even before they switched to this "Chrome Root Program", they have distrusted specific CAs, for example Symantec in 2017. https://security.googleblog.com/2017/09/chromes-plan-to-dist...

replies(1): >>42292781 #

2. xcrunner529 ◴[02 Dec 24 03:19 UTC] No.42292781[source]▶

>>42291925 (TP) #

Thanks for the info! Didn’t know they moved on.

↑