←back to thread

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

(follow.agwa.name)
482 points sanqui | 1 comments | 30 Nov 24 21:35 UTC | HN request time: 0.282s | source
Show context
0xbadcafebee ◴[02 Dec 24 01:57 UTC] No.42292379[source]
Lol. "This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good."

Yeah, this is after the certificate was issued, and my guess, used.

Also, has anyone tried to look up CT logs lately? I tried. Can get maybe a single FQDN if you look, but trying to do wildcards or name-alikes, nothing worked. Most of the CT searching websites were straight up broken. Clearly nobody is actually looking at CT logs.

CAs are a joke. There's a dozen different ways to exploit them, they are exploited, and we only find out after the fact, if it's a famous enough domain.

We could fix it but nobody gives a shit. Just apathy and BAU.

replies(5): >>42292471 #>>42292537 #>>42292577 #>>42292621 #>>42292889 #
AceJohnny2 ◴[02 Dec 24 02:15 UTC] No.42292471[source]
> We could fix it but nobody gives a shit. Just apathy and BAU.

We really can't fix it. You try and coordinate updates across all major (and most minor, and outdated) OSs, and websites around the world, amateur & professional, from the mom-and-pop store who don't understand any of this, to the big bank that'll take 3 years of procedure.

I have friends who work in the CA field (on the OS side). The level of alcoholism and turnover in the field is... higher than average.

replies(2): >>42292576 #>>42292585 #
1. ◴[02 Dec 24 02:38 UTC] No.42292585[source]