by leonidasv
1 subcomments
- ICP-Brasil officially stopped emitting public-facing SSL/TLS certificates in October: https://www.gov.br/iti/pt-br/assuntos/noticias/indice-de-not...
This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good.
by cjalmeida
1 subcomments
- It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…
by danpalmer
6 subcomments
- This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
by 8organicbits
2 subcomments
- Microsoft seems to be casual about trusting CAs, isn't transparent in their inclusion decisions, and their trust store is quite large. Any reasonable website would only use a certificate trusted by a quorum of browsers (especially Chrome), so the benefit of the extraneous CAs seems low.
I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.
by knowitnone
0 subcomment
- "Windows users deserve better!" As if Microsoft cares about their users. But this is clearly negligent behavior and open to lawsuits..hopefully.
by noitpmeder
4 subcomments
- Not clear (to me) in the original post -- was this done accidentally or intentionally?
by mattfields
0 subcomment
- Speculative guess, but it sounds like intentional collusion/coercion between government and big corporations.
ie: Brazilian government demands Microsoft to grant them MITM access from Windows machines, in order for the right to do business in the country.
- Does anyone have a list of state ( associated ) CA's so that I can ditch them all ?
- The simple solution would be to have independent entities offer trust assertions about CAs and to allow users to consider multiple entities' views in their decision about whether to trust. It's surprising this doesn't exist yet when the attack vector is so clear.
by connor11528
0 subcomment
- this is an issue with companies being too big
by sabbaticaldev
4 subcomments
- Can someone explain what could be done with that and by whom?
- [flagged]
- So an incompetent CA is trusted by an even more incompetent company, Microsoft?
Is anybody else surprised at this point?
- Tangentially related:
The system is deeply flawed, which is something I realized fifteen years ago when I was put into a situation where I had to use online banking. (Had to being the nearest branch of any bank was an hour long flight away, though there was an ice road you could use in the winter.) One of my first questions of the bank was: who issued their certificate. They didn't have a clue what I was talking about. I suppose I could have pushed the question until I found someone who did know, but I also realized that a random person asking about security would be flagged as suspicious. The whole process was based upon blind trust. Not just trust in the browser vendors to limit themselves to reputable CA, but of the CAs themselves and their procedures/policies, and who knows what else.
Hacker News