Google’s Domain Certificate Issued by Microsoft-Only Trusted Brazilian CA ICP-Brasil, Purpose Unknown
Brook.X
ICP-Brasil, a digital certificate authority (CA) in Brazil primarily issues digital certificates for virtual identity verification of Brazilian citizens. Due to various non-compliance actions in the past, ICP-Brasil currently only enjoys trust from Microsoft.
Being trusted solely by Microsoft means that digital certificates from ICP-Brasil are accepted in Windows 10/11 and other Microsoft products, while browsers like Mozilla Firefox choose not to trust these certificates.
The industry has once again raised concerns as ICP-Brasil seems to have quietly issued a digital certificate for Google's main search domain, Google.com. It's highly unlikely that Google would actively seek a certificate from this CA.
Google operates its own intermediate CA, issuing domain certificates for all its products and services, and specifies through DNS CAA RR (Certification Authority Authorization Resource Record) that only pki.goog is allowed to issue certificates for its domains.
The question arises: How could ICP-Brasil issue a certificate for Google? If DNS records were properly scanned, the issuance should have been rejected, even if Google had requested it from ICP-Brasil.
Such action is actually a violation, indicating ICP-Brasil issued a certificate for Google’s domain without Google's application and without following CAA RR rules, breaking the regulations set by the CA/Browser Forum.
The speculation is that ICP-Brasil might have issued the digital certificate to Google with the intent of hijacking, as this certificate is trusted on systems like Windows 10/11, including Windows Server.
Both Microsoft Edge and Google Chrome browsers read from the Windows certificate store, and as long as Microsoft trusts it, neither will raise an alarm. Firefox, however, will alert and refuse the connection.
So far, neither ICP-Brasil nor Google has issued any statement regarding this matter. It remains unclear if Google can prevent such unauthorized certificate issuance, as a hijacked main domain poses a security risk to users in Brazil and globally.
