Conversation

Notices

1. Embed this notice
   Andrew Ayer (agwa@follow.agwa.name)'s status on Sunday, 01-Dec-2024 03:19:29 JST Andrew Ayer
   A Brazilian certificate authority trusted only by Microsoft has issued a presumably-unauthorized certificate for google.com: https://bugzilla.mozilla.org/show_bug.cgi?id=1934361
   
   This can used to intercept traffic to Google from Edge and other Windows applications (except Chrome and Firefox). Hug-ops to Google folks.
   
   Microsoft are well aware of the extensive history of problems with this CA - I emailed them my concerns in 2021, and further issues were raised during a public CCADB discussion in 2022 - but they clearly don't care. I hope this incident prompts some change; Windows users deserve better!
   • Embed this notice
     waldi (waldi@chaos.social)'s status on Sunday, 01-Dec-2024 19:35:55 JST waldi

     in reply to

     • bkim

     @bkim @agwa google.com sets a CAA record that explicitely forbids issuance by anyone except Google's own CA. A public trusted WebPKI CA is required to check this.

     In the end it just adds to the list of problems that where already mentioned in the two unsuccessful inclusion requests to Mozilla. And it seems Microsoft does not care.

   • Embed this notice
     bkim (bkim@mastodon.social)'s status on Sunday, 01-Dec-2024 19:35:56 JST bkim

     in reply to

     @agwa I'm curious about the discussions on this CA, what are the issues? It is the root for several Brazilian government services, and I had the (layman's) impression that they are competent.

     Rich Felker repeated this.