My personal conspiracy theory is that root CAs have long been compromised somehow, but the government(s) that holds the keys can’t risk letting that secret out as evidence in any court case so they must keep the knowledge secret until something bad enough happens that they could risk letting it be known.
… what? How the hell does a CA let that slip?
Wlcome to the age when the only correct infra is the one you self-host.
From what I see in the article it seems it’s a classic case of Croatian public sector IT being incompetent. But it doesn’t seem to be that big of an issue. They were only created for internal testing and were immediately revoked. It’s still not good, but the opportunity for exploit here to me seems extremely low.
CAs are like BGP, it’s trust me bro all the way down
the case demonstrates the “single point of failure” vulnerability in the certificate authority ecosystem
