Hacker News new | ask | show | jobs
by brainscdf 2308 days ago
> Oh yeah, it'd be great if Google could MITM half the SSL on the internet...

How exactly would Google MITM half the SSL on the internet by virtue of issuing certificates via ACME?

The private key never leaves the subject's system (the system hosting a website for example). Google would never have access to the private key for which it would issue the public key certificate.

Further, if Google abuses its power by issuing a fake certificate for another website and uses that to MITM all traffic to that website, all browsers and systems would remove the offending CA certificates from their trust store immediately. Look what happened to DigiNotar.
1 comments
ignoramous 2308 days ago
Not that I expect Google to issue fake certs, but DigiNotar also doesn't command 80%+ browser marketshare to soften the blowback.
link
brainscdf 2308 days ago
> Not that I expect Google to issue fake certs, but DigiNotar also doesn't command 80%+ browser marketshare to soften the blowback.

Not sure how that is relevant. DigiNotar was a trusted root CA in all major browsers. So if an attacker managed to get a fake certificate issued by DigiNotar, they could attack 100% of the users visiting the website for which the fake certificate was issued.

In fact, they did issue fake certificates by accident due to a security breach. As soon as the error was caught, their CA certificates were removed from all browsers. They went bankrupt! That's how serious this business of issuing certificates is.

link
thenewnewguy 2308 days ago
It's relevant because Google isn't likely to remove _themselves_ from their browser, which is currently the most popular web browser on the planet.

For this reason alone, having a major browser dev as a CA is not a good idea, regardless of how much or little you trust google.

link
jacobparker 2308 days ago
Google is already a CA.

https://pki.google.com

link