As a security consultant this boggles my mind. I push companies with much less sensitive systems to use better security practices. It's crazy that these foundational systems lack such controls, but I guess that's due to race to the bottom economic factors?
Most of these are small ccTLDs with minimal management. For most countries they just kind of got assigned a TLD and some random person in the telecommunications department of the government, the postal office, or a university has been keeping it going for years.
I recently tried reporting a security issue to a ccTLD. As a registrar thankfully I was able to reach out to ICANN for assistance, but even then the person who operated the TLD had just retired and there was no replacement.
You're talking about issuing certificates via email? That's a widely documented process, I've used it. SharePoint... I'm not familiar with. I'd love a reference.
Certificate issuance doesn't need to be perfect. We have Certificate Transparency, for example to catch missisuance and CAA records to restrict the process.
Ah, you're not talking about issuance. I think you're implying that the browsers blindly copy their trust roots from the linked Salesforce site, and you don't think Salesforce provides suitable tampering protection.
I'm not shocked? The website discusses audit responsibilities quite a bit, which seems like it mitigates tampering concerns. Sure I'd prefer something other than Salesforce too, but I'm not seeing a glaring issue here.
can you elaborate on that?
Certificates are usually public anyway, but the matching private keys aren't. CAs usually have them on hsm-devices only.
if you mean private keys are shared via email: keys from the CA-Certs, or just from the Certificates the CA signed?
for instance, getting a CA publicly into a browser is expensive and requires audits, so your experience makes me curious
