Whomever has this fake certificate can run a server and say it's google.com and windows will say "yep you are" with the little green lock.

Where? In Edge you mean?

And everything that uses the OS trust store, when run on Windows, I assume.

Nope, certificates are issued for CNs(Common Name), also known as FQDNs (Fully qualified domain names). Something such as *.google.com, not IP addresses.

If they were issued for IP addresses they would have to reissue the certificate every time they spun up a new server. Also it's why if you spin up another server and make DNS point google.com to that server, it would not pass verification since the certificate you will be using on that server is not issued to *.google.com, but rather some other domain you own. The IP address plays no role in certificates.

Nit: a CN (stored in the Subject field of a cert) is not an FQDN, though historically web browsers treated them as such. This practice is now deprecated. Modern practice is for the domain name(s) to be placed in the Subject Alternative Name (SAN) field.

The Subject field is not consulted so long as the SAN field is present, and can in theory be any X.500 Distinguished Name, of which Common Name is one possible attribute, which may be any freeform string of a limited length (though it is typically set to the primary domain the cert is issued for, for easy identification).

Certificates can be issued to IP addresses (at least on SAN level, not sure if they are allowed in CN in CA/B baseline requirements), like https://crt.sh/?id=15492507462

That is different in context to what was being asked though.

> And without DNS pointing google.com to that IP address, it's pretty useless.

On the internet itself maybe, but you can still MITM people on some network, right?

Microsoft appears to have arranged with the government of Brazil for one of their national CAs to have the ability to mint arbitrary certificates. Only Microsoft's own WebPKI software cares; Chrome, Safari, and Firefox don't trust this CA.

Whoever has the private certificate can pretend to be google.com to people using windows.

The brower (possibly only edge) and system would show the connection as being secure.

It's not entirely about this particular certificate (although this is bad, too). This is about a certificate authority giving someone who is NOT Google, a certificate that can be used to "prove" a server is Google. Accidental or not, this should not happen.

The "blast radius" is limited to Microsoft since they are the only ones that trust this particular certificate authority. Your non-Microsoft browser won't trust these certs. Your non-Microsoft OS, Java program, etc. etc. won't trust these certs.

Chrome uses the Windows trust store on Windows, IIRC.

I dug a little and apparently Chrome previously used the trust store of the platform but has now transitioned away from that to use their own. https://blog.chromium.org/2022/09/announcing-launch-of-chrom...

But even before they switched to this "Chrome Root Program", they have distrusted specific CAs, for example Symantec in 2017. https://security.googleblog.com/2017/09/chromes-plan-to-dist...

Thanks for the info! Didn’t know they moved on.