Hacker News new | ask | show | jobs
by brianpan 563 days ago
It's not entirely about this particular certificate (although this is bad, too). This is about a certificate authority giving someone who is NOT Google, a certificate that can be used to "prove" a server is Google. Accidental or not, this should not happen.

The "blast radius" is limited to Microsoft since they are the only ones that trust this particular certificate authority. Your non-Microsoft browser won't trust these certs. Your non-Microsoft OS, Java program, etc. etc. won't trust these certs.
1 comments
xcrunner529 563 days ago
Chrome uses the Windows trust store on Windows, IIRC.
link
brianpan 562 days ago
I dug a little and apparently Chrome previously used the trust store of the platform but has now transitioned away from that to use their own. https://blog.chromium.org/2022/09/announcing-launch-of-chrom...

But even before they switched to this "Chrome Root Program", they have distrusted specific CAs, for example Symantec in 2017. https://security.googleblog.com/2017/09/chromes-plan-to-dist...

link
xcrunner529 562 days ago
Thanks for the info! Didn’t know they moved on.
link