A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

Original Article ↗ Hacker News Discussion ↗

Scope of the Incident

  • A Brazilian government-related CA (ICP-Brasil / SERPRO ecosystem), trusted only by Microsoft’s root store, issued a certificate for google.com.
  • Other major root programs (Chrome/Google, Firefox/Mozilla, Apple) do not trust this CA.
  • Certificate was logged in Certificate Transparency (CT), which is how it was noticed.

Impact and Severity

  • Main risk: man-in-the-middle (MitM) attacks for google.com on Windows/Edge or any software using the Windows trust store.
  • Attack requires network control (ISP, Wi‑Fi, enterprise/government network).
  • Some argue impact is now low because the cert was quickly found and revoked; others say issuing such a cert even once should be fatal for the CA.
  • Damage is limited to Microsoft’s ecosystem; non-Microsoft browsers/OSes would not accept it.

Accident vs Malice

  • Unclear whether issuance was malicious or accidental.
  • Some suggest a “careless testing” scenario (e.g., staff manually issuing a cert for google.com while testing interception systems, or intending internal-only monitoring).
  • Others see this as symptomatic of deeper incompetence or potential abuse; discussion notes prior similar mis-issuances by other CAs.

Microsoft’s Role and Trust Store Policy

  • Criticism that Microsoft’s CA inclusion process is opaque compared to Mozilla’s; some suspect government/commercial deals drive inclusion.
  • Counterpoints claim Microsoft likely does vet CAs but that any trust store will eventually contain actors that later misbehave.
  • Several commenters say Windows’ broad, less transparent trust list is a reason to prefer Chrome’s or Mozilla’s root programs; others ask for tooling to adopt those lists on Windows.

Government CAs and Control

  • Government CAs are used for identity, digital signatures, and open banking in Brazil; revocation checks are more strictly enforced there than in browsers.
  • Some argue states want CAs in OS trust stores for strategic independence and the ability to monitor/inspect traffic.
  • Others note organizations can and usually should use internal CAs for interception instead of globally trusted roots.

Systemic WebPKI Concerns and Alternatives

  • Many see this as another example that WebPKI is structurally fragile and over-centralized.
  • CT and CAA are praised but noted as dependent on CA compliance.
  • Ideas discussed: TLD-constrained trust, DNSSEC+DANE, richer user/control over which CAs to trust, and multi-entity “trust assertions” about CAs.
  • Skeptics argue large-scale replacement of the current PKI is practically very hard given legacy systems and slow-moving institutions.