Fooling Go's X.509 Certificate Verification

A tiny certificate-checking mismatch somehow turned into full-on comment-section theater. The blog post shows a strange case where OpenSSL, the old-school internet security tool, happily accepts a certificate chain, while Go, the programming language, throws a dramatic "unknown authority" error. To a normal person, this means one app says, “Looks legit,” while the other says, “Absolutely not.” And the internet, naturally, took that personally.

The biggest split in the replies was over whether this is a shocking security gotcha or just old news dressed up as scandal. One camp basically yawned and pointed to a years-old Go issue thread, saying this debate was settled ages ago. Another went full professor mode, scolding the newer crowd with a “kids today” speech and reminding everyone that certificate weirdness has been haunting computers for decades. Translation: some commenters treated the post like a thrilling expose, others treated it like someone rediscovering fire.

Then came the technical mic drop: one commenter explained that the two names in the certificates only look the same to humans, but aren’t stored in exactly the same way under the hood, so Go refuses to trust them. That sparked a second wave of drama: is Go being picky, or is it being smart? Critics called the “fooling Go” headline overblown, saying this isn’t trickery so much as Go refusing a sketchy edge case. Even the jokes had bite, including the author’s roast about anyone still using OpenSSL in 2126. In the end, the real spectacle wasn’t the certificate — it was the community arguing over whether this was a bug, a feature, or a history lesson nobody asked for.