IdeaWell

Project ideas from Hacker News discussions.

Fooling Go's X.509 Certificate Verification

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

3 Dominant Themes

1. The “Go kids” narrative is a straw‑man

“The Go \"kids\" are famous for, among other things, being industry leaders 30 years ago.” — gowld
“Between this and the IPv6 zone identifier issue, it feels like there's a trend of commenters more or less assuming Go is doing the wrong thing when it's actually following the standards/best practices more correctly than average.” — jchw

2. Go’s stricter X.509 string‑comparison stance

Go requires the Issuer and Subject to be byte‑for‑byte equal.” — agwa
“The reason it doesn’t validate in Go is that the Subject field in the CA certificate uses a different string encoding than the Issuer field in the leaf certificate, so the fields are not byte‑for‑byte equal.” — agwa

3. Mis‑perception that Chrome/OpenSSL are “right” while Go is the outlier

Most people accessing a site are likely not using Golang and are using Chrome. Thus Chrome is assumed right and Go is the one that's the outlier.” — fragmede
That's a different point, this particular thread is actually about a behavior that Chrome/OpenSSL/etc. have that is actually somewhat undesirable due to being complex and error prone.” — jchw All quotations are taken verbatim from the discussion.

🚀 Project Ideas

[X.509 Normalizer API]

Summary- [-Offers a hosted API that normalizes and validates X.509 DNs, eliminating encoding‑related validation bugs.]

  • [-Enables cross‑language services to obtain a unified certificate view.]

Details

Key Value
Target Audience developers of microservices and API gateways
Core Feature Normalize DNs and return validation status via REST
Tech Stack Python FastAPI + cryptography
Difficulty Low
Monetization Hobby

Notes

  • [-HN user ahmedtd noted: “Go correctly insists on byte‑for‑byte equality while other libs approximate it.”]
  • [-Provides a simple contract for CI checks and security audits.]

[CertChain Mismatch Detector Chrome Extension]

Summary

  • [-Scans live web pages for certificate chains with mismatched DN encodings and alerts developers.]
  • [-Helps prevent supply‑chain attacks that rely on parsing divergences.]

Details

Key Value
Target Audience security researchers and web developers
Core Feature Real‑time detection of DN encoding mismatches in page certificates
Tech Stack JavaScript Chrome extension using Web Crypto API
Difficulty Medium
Monetization Revenue-ready: freemium

Notes

  • [-HN commenter sidewndr46 suggested: “Require multiple language implementations to expose spec ambiguities.”]
  • [-Can be published on Chrome Web Store with premium reporting features.]

Read Later