from Hacker News

A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

by sanqui on 11/30/24, 9:35 PM with 215 comments

  • by leonidasv on 12/1/24, 1:49 AM

    ICP-Brasil officially stopped emitting public-facing SSL/TLS certificates in October: https://www.gov.br/iti/pt-br/assuntos/noticias/indice-de-not...

    This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good.

  • by cjalmeida on 12/1/24, 1:32 AM

    It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…

  • by danpalmer on 12/1/24, 12:47 AM

    This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.

  • by 8organicbits on 12/1/24, 3:23 AM

    Microsoft seems to be casual about trusting CAs, isn't transparent in their inclusion decisions, and their trust store is quite large. Any reasonable website would only use a certificate trusted by a quorum of browsers (especially Chrome), so the benefit of the extraneous CAs seems low.

    I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.

  • by MattPalmer1086 on 12/1/24, 10:35 AM

    Things like this make me wonder why certificates are not also signed by the certificate owner.

    Right now, a CA can issue a certificate for any public key and domain they like. A rogue trusted CA can intercept all traffic.

    If a certificate also included a signature by the owner of the public key signed by the CA (using their private key, signed over the CA signature), then a CA would no longer have this ability.

    What am I missing?

  • by alwayslikethis on 12/2/24, 2:20 AM

    I wonder why Brazil has their CA trusted by Microsoft in the first place, while Kazakhstan [1], for example, wasn't.

    1. https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...

  • by resters on 12/1/24, 1:46 AM

    The simple solution would be to have independent entities offer trust assertions about CAs and to allow users to consider multiple entities' views in their decision about whether to trust. It's surprising this doesn't exist yet when the attack vector is so clear.

  • by noitpmeder on 12/1/24, 1:02 AM

    Not clear (to me) in the original post -- was this done accidentally or intentionally?

  • by mattfields on 12/1/24, 6:24 AM

    Speculative guess, but it sounds like intentional collusion/coercion between government and big corporations.

    ie: Brazilian government demands Microsoft to grant them MITM access from Windows machines, in order for the right to do business in the country.

  • by coretx on 12/1/24, 4:14 AM

    Does anyone have a list of state ( associated ) CA's so that I can ditch them all ?

  • by knowitnone on 12/1/24, 3:29 AM

    "Windows users deserve better!" As if Microsoft cares about their users. But this is clearly negligent behavior and open to lawsuits..hopefully.

  • by b800h on 12/1/24, 8:04 AM

    Can anyone tell me which CA is used by Open Banking in Brazil? The infrastructure is heavily based on PKI. I assume it's not this one?

  • by ThePowerOfFuet on 12/1/24, 9:37 AM

    @dang Can we update the link to the original source?

    https://bugzilla.mozilla.org/show_bug.cgi?id=1934361

  • by notorandit on 12/1/24, 8:39 AM

    It's not Microsoft being careless about CAs. That's been made on purpose by them to comply with some request in order to keep a slice of their market.

  • by sabbaticaldev on 12/1/24, 1:37 AM

    Can someone explain what could be done with that and by whom?

  • by ikekkdcjkfke on 12/1/24, 7:32 AM

    How do i remove this CA from windows and Edge?

  • by II2II on 12/1/24, 4:22 AM

    Tangentially related:

    The system is deeply flawed, which is something I realized fifteen years ago when I was put into a situation where I had to use online banking. (Had to being the nearest branch of any bank was an hour long flight away, though there was an ice road you could use in the winter.) One of my first questions of the bank was: who issued their certificate. They didn't have a clue what I was talking about. I suppose I could have pushed the question until I found someone who did know, but I also realized that a random person asking about security would be flagged as suspicious. The whole process was based upon blind trust. Not just trust in the browser vendors to limit themselves to reputable CA, but of the CAs themselves and their procedures/policies, and who knows what else.

  • by 0xbadcafebee on 12/2/24, 1:57 AM

    Lol. "This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good."

    Yeah, this is after the certificate was issued, and my guess, used.

    Also, has anyone tried to look up CT logs lately? I tried. Can get maybe a single FQDN if you look, but trying to do wildcards or name-alikes, nothing worked. Most of the CT searching websites were straight up broken. Clearly nobody is actually looking at CT logs.

    CAs are a joke. There's a dozen different ways to exploit them, they are exploited, and we only find out after the fact, if it's a famous enough domain.

    We could fix it but nobody gives a shit. Just apathy and BAU.

  • by xyst on 12/1/24, 3:46 AM

    So an incompetent CA is trusted by an even more incompetent company, Microsoft?

    Is anybody else surprised at this point?

  • by connor11528 on 12/1/24, 3:31 AM

    this is an issue with companies being too big

  • by motbus3 on 12/1/24, 10:08 AM

    You care about google? Look at those links, they are loaded with critical government stuff. Omg