I understand why browsers are in a position where they don't want to remove CAs unless there is repeated and egregious issues, but I wish there was some third party that would rate CAs. I'd be willing to lose access to 1% of the web if it meant cutting 90% of these garbage CAs off my root certificates list.
There is law in Turkey which is passed in the state of emergency (2016) and these laws later become permanent. If the government demanding anything from a Turkish company and this demand will not be complied quickly, then the government takes the control of the company (replacing boss, changing banking passwords) temporarily in order to comply. This process does not involve judicial authority but an administrative one. It wouldn't matter if it involved judicial authorities because justice system is worst kind of joke.<p>I know it because they took control of our company in 2016. The reason in the decision: "inspector found no evidence of tax evasion, which is suspicious for a Turkish company, therefore we take control of the company." (not joking)
One of the best ways to get issues like this in front of people is through Mozilla's dev-security-policy list (which was originally the mozilla.dev.security.policy Usenet group). People from other browser manufacturers monitor that list.<p>The list archives are at <a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy;" rel="nofollow">https://groups.google.com/a/mozilla.org/g/dev-security-polic...</a> this issue is covered at <a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/yqALPG5PC4s" rel="nofollow">https://groups.google.com/a/mozilla.org/g/dev-security-polic...</a>
Oh, this reminds me if TurkTrust scandal[0] when they granted a local govt. corporation the ability to generate fake certificates and they were caught when generated fake Google certs. Considering the identity of the mayor, I'm still not convinced that no people were harmed.<p>[0] <a href="https://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl-certificate-fiasco-what-happened-and-what-happens-next/" rel="nofollow">https://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ss...</a>
I wish I could set my browser into a mode where CAs are an opt-in.<p>I enable this setting and at first I can't go to Google unless I enable Google's CA. The go to Amazon and get the warning, get displayed what I will be enabling and have the ability to use Google to search if I will trust them. So I enable DigiCert Global CA in order to use Amazon, and ask myself why the hell I need to trust that 3rd party.<p>And so on. This way I would never have Hong Kong Post Office's CA enabled in my browser.
The CA system and WebPKI is more or less fundamentally flawed.<p>- Too few CAs and you loose on competition.<p>- Too many CAs and the probability of vulnerabilities approaches 100%.
FWIW, a Tughra is the great seal of Ottoman emperors. Soliman the Magnificent's is well-known:<p><a href="https://www.dailyartmagazine.com/tughra-of-sultan-suleiman-the-magnificent/" rel="nofollow">https://www.dailyartmagazine.com/tughra-of-sultan-suleiman-t...</a>
Aren't CAs supposed to go through vetting and audits before getting trusted in operating systems and browsers? We even went through a SOC audit just for our own internal CA!
> In many regards, certificate authorities are audited comprehensively against industry-specific audit standards. Certificate authorities also routinely get hacked. Despite this, not a single certificate authority runs a bug bounty program, and of the major CAs, only GlobalSign and Let’s Encrypt even offer a security.txt to help disclose issues. Only an annual penetration is generally required of CAs.<p>These feel like the wrong metrics: the attackers who compromise CAs don't generally overlap in skillsets with people who engage in bug bounty programs, and (AFAIK) `security.txt` has had no significant adoption in the broader community.
This is a huge security issue according to Turkish law (called KVKK).
They should report this security breach here <a href="https://www.kvkk.gov.tr/veri-ihlali-bildirimi/" rel="nofollow">https://www.kvkk.gov.tr/veri-ihlali-bildirimi/</a> but I haven't seen anything reported from them.
> there were many log lines referencing [EJBCA]<p>Is this link supposed to go somewhere specific, or just to the EJBCA homepage? It currently just points back to <a href="https://ian.sh/etugra" rel="nofollow">https://ian.sh/etugra</a>
I’m still surprised that in the year 2022 people still pay enough money for certs that CAs manage to exist providing SSL certs. EV and OV is effectively dead (and was never a good idea anyways), so who exactly is paying for their certs?
How much web does removal of these CAs actually impact? I’m an English speaking westerner* and most of the certs I see signed are either letsencrypt or digicert.<p>* Relevance: I assume other languages / countries use more localised certs.
> I ended up taking a deep look into e-Tugra, a Turkey-based certificate authority trusted by Apple, Google, Mozilla, and other clients<p>He shall look at American CAs.
Trusting CAs based on pedigree is ... funny.
aaand episode #352381 of "woah all these people who i thought were sophisticated are actually just a bunch of lazy / ignorant sysadmins". wouldnt want one obscure CA you never heard of to get hacked, that would compromise every other website (or maybe not with this X.509 name constraints gimmick people are talking about in this thread)