mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

336K
active users

A Brazilian certificate authority trusted only by Microsoft has issued a presumably-unauthorized certificate for google.com: https://bugzilla.mozilla.org/show_bug.cgi?id=1934361

This can used to intercept traffic to Google from Edge and other Windows applications (except Chrome and Firefox). Hug-ops to Google folks.

Microsoft are well aware of the extensive history of problems with this CA - I emailed them my concerns in 2021, and further issues were raised during a public CCADB discussion in 2022 - but they clearly don't care. I hope this incident prompts some change; Windows users deserve better!
google.comGoogle
bkim

@agwa I'm curious about the discussions on this CA, what are the issues? It is the root for several Brazilian government services, and I had the (layman's) impression that they are competent.

@bkim

Examples of incompetence: https://bugzilla.mozilla.org/show_bug.cgi?id=1674669#c10
Public discussion for one of their sub-CAs: https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/MhxJXipVAwAJ

Just because the certificate subject contains the serial number of a Google subsidiary doesn't mean the certificate was authorized by Google - a CA can put anything they want in that field, and this CA clearly doesn't validate what they put in certificates.
bugzilla.mozilla.org1674669 - Add Autoridade Certificadora Raiz Brasileira root certificateASSIGNED (bwilson) in CA Program - CA Certificate Root Program. Last updated 2024-03-19.

@bkim @agwa google.com sets a CAA record that explicitely forbids issuance by anyone except Google's own CA. A public trusted WebPKI CA is required to check this.

In the end it just adds to the list of problems that where already mentioned in the two unsuccessful inclusion requests to Mozilla. And it seems Microsoft does not care.