Andrew Ayer
agwaA Brazilian certificate authority trusted only by Microsoft has issued a presumably-unauthorized certificate for google.com: https://bugzilla.mozilla.org/show_bug.cgi?id=1934361
This can used to intercept traffic to Google from Edge and other Windows applications (except Chrome and Firefox). Hug-ops to Google folks.
Microsoft are well aware of the extensive history of problems with this CA - I emailed them my concerns in 2021, and further issues were raised during a public CCADB discussion in 2022 - but they clearly don't care. I hope this incident prompts some change; Windows users deserve better!
This can used to intercept traffic to Google from Edge and other Windows applications (except Chrome and Firefox). Hug-ops to Google folks.
Microsoft are well aware of the extensive history of problems with this CA - I emailed them my concerns in 2021, and further issues were raised during a public CCADB discussion in 2022 - but they clearly don't care. I hope this incident prompts some change; Windows users deserve better!
Andrew Ayer
agwaExamples of incompetence: https://bugzilla.mozilla.org/show_bug.cgi?id=1674669#c10
Public discussion for one of their sub-CAs: https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/MhxJXipVAwAJ
Just because the certificate subject contains the serial number of a Google subsidiary doesn't mean the certificate was authorized by Google - a CA can put anything they want in that field, and this CA clearly doesn't validate what they put in certificates.
