ICP-Brasil officially stopped emitting public-facing SSL/TLS certificates in October: <a href="https://www.gov.br/iti/pt-br/assuntos/noticias/indice-de-noticias/importante-esclarecimentos-sobre-o-fim-dos-certificados-ssl-tls-pela-icp-brasil" rel="nofollow">https://www.gov.br/iti/pt-br/assuntos/noticias/indice-de-not...</a><p>This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good.
It gets worse. ICP-Brasil, the AC mentioned in the bug reports, the the government run agency responsible for all things related to digital signatures. Digitally signing a contract, a deed, accessing tax returns…
This is a bad look. I expected the result would be Chrome and Firefox dropping trust for this CA, but they already don't trust this CA. Arguably, Microsoft/Windows trusting a CA that the other big players choose not to trust is an even worse look for Microsoft.
Microsoft seems to be casual about trusting CAs, isn't transparent in their inclusion decisions, and their trust store is quite large. Any reasonable website would only use a certificate trusted by a quorum of browsers (especially Chrome), so the benefit of the extraneous CAs seems low.<p>I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.
Things like this make me wonder why certificates are not <i>also</i> signed by the certificate owner.<p>Right now, a CA can issue a certificate for any public key and domain they like. A rogue trusted CA can intercept all traffic.<p>If a certificate also included a signature by the owner of the public key signed by the CA (using their private key, signed over the CA signature), then a CA would no longer have this ability.<p>What am I missing?
I wonder why Brazil has their CA trusted by Microsoft in the first place, while Kazakhstan [1], for example, wasn't.<p>1. <a href="https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_attack" rel="nofollow">https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...</a>
The simple solution would be to have independent entities offer trust assertions about CAs and to allow users to consider multiple entities' views in their decision about whether to trust. It's surprising this doesn't exist yet when the attack vector is so clear.
Speculative guess, but it sounds like intentional collusion/coercion between government and big corporations.<p>ie: Brazilian government demands Microsoft to grant them MITM access from Windows machines, in order for the right to do business in the country.
"Windows users deserve better!" As if Microsoft cares about their users. But this is clearly negligent behavior and open to lawsuits..hopefully.
@dang Can we update the link to the original source?<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1934361" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1934361</a>
It's not Microsoft being careless about CAs. That's been made on purpose by them to comply with some request in order to keep a slice of their market.
Tangentially related:<p>The system is deeply flawed, which is something I realized fifteen years ago when I was put into a situation where I had to use online banking. (Had to being the nearest branch of any bank was an hour long flight away, though there was an ice road you could use in the winter.) One of my first questions of the bank was: who issued their certificate. They didn't have a clue what I was talking about. I suppose I could have pushed the question until I found someone who did know, but I also realized that a random person asking about security would be flagged as suspicious. The whole process was based upon blind trust. Not just trust in the browser vendors to limit themselves to reputable CA, but of the CAs themselves and their procedures/policies, and who knows what else.
Lol. "This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good."<p>Yeah, this is after the certificate was issued, and my guess, used.<p>Also, has anyone tried to look up CT logs lately? I tried. Can get maybe a single FQDN if you look, but trying to do wildcards or name-alikes, nothing worked. Most of the CT searching websites were straight up broken. Clearly nobody is actually looking at CT logs.<p>CAs are a joke. There's a dozen different ways to exploit them, they <i>are</i> exploited, and we only find out after the fact, if it's a famous enough domain.<p>We could fix it but nobody gives a shit. Just apathy and BAU.