2016 Postmortem
In reply to the discussion: So let me get this straight... [View all]Recursion
(56,582 posts)1. Her server had a .gov address, and the cert was issued by the government Certificate Authority (not all servers hosting a .gov domain are government-owned)
2. The government Certificate Authority is totally free to also issue certificates for .com, .net, .edu, even .uk or .ru if they wanted to. (It's not even limited to domains; they can issue a certificate to "The person who posts as Recursion on Democratic Underground" if they felt like it, or "The owner of the deli on 102nd and 7th".) And actually since they probably MitM most internal traffic to begin with, it's a safe assumption they do that already.
The SSL certificate traces back to, say, GoDaddy. Their certificate traces back to Verisign. The chain checks out, so your web browser trusts the response.
That would be ideal, wouldn't it? But, no, that's not how certificate verification works; you're describing a hypothetical secured model like DANE. As it is, my OS has 172 entities who are allowed to sign any certificate with full trust. It's an appalling situation.