←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 2 comments | 30 Nov 24 21:35 UTC | HN request time: 0.515s | source
Show context
0xbadcafebee ◴[02 Dec 24 01:57 UTC] No.42292379[source]
Lol. "This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good."

Yeah, this is after the certificate was issued, and my guess, used.

Also, has anyone tried to look up CT logs lately? I tried. Can get maybe a single FQDN if you look, but trying to do wildcards or name-alikes, nothing worked. Most of the CT searching websites were straight up broken. Clearly nobody is actually looking at CT logs.

CAs are a joke. There's a dozen different ways to exploit them, they are exploited, and we only find out after the fact, if it's a famous enough domain.

We could fix it but nobody gives a shit. Just apathy and BAU.

replies(5): >>42292471 #>>42292537 #>>42292577 #>>42292621 #>>42292889 #
1. numbsafari ◴[02 Dec 24 02:27 UTC] No.42292537[source]
Wildcards work on crt.sh:

https://crt.sh/?q=%25.ycombinator.com

replies(1): >>42298563 #
2. numbsafari ◴[02 Dec 24 17:56 UTC] No.42298563[source]
Just wanting to add to my own comment...

crt.sh allows you to subscribe to an RSS feed for wildcard searches. We map those into a slack channel for infrastructure advisory alerts. You can also setup more aggressive alerts if something shows up unexpectedly.

It's an incredibly handy service.