/top/
/new/
/best/
/ask/
/show/
/job/
^
slacker news
login
about
←back to thread
A Brazilian CA trusted only by Microsoft has issued a certificate for google.com
(follow.agwa.name)
482 points
sanqui
| 2 comments |
30 Nov 24 21:35 UTC
|
HN request time: 0.417s
|
source
Show context
cjalmeida
◴[
01 Dec 24 01:32 UTC
]
No.
42285429
[source]
▶
>>42284202 (OP)
#
It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…
replies(2):
>>42285683
#
>>42286883
#
layer8
◴[
01 Dec 24 02:33 UTC
]
No.
42285683
[source]
▶
>>42285429
#
Unlike web browsers, digital signature use cases should perform revocation checks, so revoking the google.com certificate should solve that.
replies(3):
>>42285783
#
>>42285825
#
>>42292286
#
perching_aix
◴[
01 Dec 24 02:53 UTC
]
No.
42285783
[source]
▶
>>42285683
#
I think the current "meta" is CAA records?
https://blog.cloudflare.com/why-certificate-pinning-is-outda...
replies(2):
>>42285927
#
>>42292557
#
1.
syncsynchalt
◴[
02 Dec 24 02:31 UTC
]
No.
42292557
[source]
▶
>>42285783
#
CAA records rely on the CAs to respect them, and this is an article about how a CA has issued a cert in violation of a CAA record.
replies(1):
>>42292602
#
ID:
GO
2.
perching_aix
◴[
02 Dec 24 02:41 UTC
]
No.
42292602
[source]
▶
>>42292557 (TP)
#
Oh right, for some reason I was under the impression that browsers utilize the record too.
↑