Let's Encrypt Releases Transparency Report -- All Zeroes Across The Board
from the now-let's-watch-if-anything-changes dept
We've talked a bit about the important security certificate effort being put together by EFF, Mozilla and others, called Let's Encrypt, which will offer free HTTPS security certificates, making it much easier to encrypt the web. They've been busy working on the project which is set to launch in a few months. But first... Let's Encrypt has released its first transparency report. Yes, that's right: before it's launched. As you might expect, there are a lot of zeros here:Let's Encrypt is, smartly, getting this first report out there -- with all the zeroes -- before the government can swoop in and insist that it has to only display ranges. In other words, this is getting in before any gag order can stop this kind of thing. Smart move. It's also nice to see them break down all of the different possible types of orders, rather than lumping them into more general buckets. That's an important step that it would be nice to see others follow as well.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fisa orders, nsls, security certificates, surveillance, transparency, transparency report, warrant canary, warrants
Companies: let's encrypt
Reader Comments
Subscribe: RSS
View by: Time | Thread
No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!
[ link to this | view in chronology ]
Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!
[ link to this | view in chronology ]
Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!
No, we're complaining that you're never censored. Everyone else can read the rambling bollocks you post in every thread and then when everybody gets tired of your crap and asks for your messages top be hidden you complain falsely about being censored! Actually censoring you would be a fantastic boon to this site, but we never do that.
[ link to this | view in chronology ]
Re: Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!
What is funny is the tag "This comment has been flagged by the community. Click here to show it." acts like the super canary in the article. It shows both that something exists and that some people thought it was rubbish.
[ link to this | view in chronology ]
A better (tech) option
[ link to this | view in chronology ]
Re: A better (tech) option
[ link to this | view in chronology ]
Re: A better (tech) option
The usual government trick won't work here, where a company can only give a range including 0, therefor making it impossible to tell if a company has received 0 orders or several, because they've already set the baseline, and any deviation will indicate a change.
[ link to this | view in chronology ]
Re: Re: A better (tech) option
[ link to this | view in chronology ]
Re: Re: Re: A better (tech) option
Paradox warning! That's exactly what a canary is designed for.
[ link to this | view in chronology ]
Re: Re: Re: A better (tech) option
[ link to this | view in chronology ]
Re: Re: A better (tech) option
[ link to this | view in chronology ]
To further ease compliance for companies, they should just go ahead and create a single bracket: "zero or more". This would eliminate all the excessive cost associated with unnecessary reporting and save companies a zillion dollars. Moreover, it would help achieve full transparency on the topic.
[ link to this | view in chronology ]
sdrawcaB
And all the fields were filled with a single character - usually a zero, just to keep the formatting correct.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
https
What i am wondering if this is good or not. When everyone uses https will this lead to less secure https? Since it is worth more to make breaks? Like there were no viruses for mac...??
Greets,
Rob Veld
ValueBlue
[ link to this | view in chronology ]
Re: https
I am not sure about this, but this is worth studying.
[ link to this | view in chronology ]
Re: Re: https
TLS has a number of roles to play in network communications:
1) encrypt data to protect it from sniffing in-transit
2) authenticate data to verify it came from whom you expect
3) sign data so you know you got only the data you were expecting
Now here's how it breaks:
1) man-in-the-middle servers that sign with an alternate certificate. This can be done on the client (SuperFish), at the network edge (many gateway prodcuts), or anywhere upstream that has access to a trusted certificate on the client.
2) Yeah, this is broken at a number of levels, relating to item 1 -- there are many entities out there that can fake or phish the sender identity. Web of Trust helps a bit here, but the traditional methods (whitelist/blacklist) tend to fail, as the blacklists are improperly implemented in most places. How do you trust authenticity when most major governments have access to root certs?
3) This is actually still pretty safe; TLS itself has withstood most cracking attempts, and as a result, you're likely to have received exactly what the sender sent. The only issue here is that you have no way to 100% verify that the sender was who you thought it was, unless you got the signing certificate directly from them via a separate channel, and know that nobody else has access to their root certificate.
Aside from all this, verts generally work by exclusivity; the fewer organizations who have certificates, the more secure they are. If you remove the barriers to entry so that anyone can get a certificate, then that means that while a cert may be valid, it becomes more difficult to figure out if the person who owns the certificate is trustworthy in the first place.
If certificates are free, than you can rest assured that some botnet is going to have all its nodes registering bogus certificates that it can rotate through, giving the CNs all sorts of names, from "Bankof America" to "Aqqle" to "Trusted Update Pty, LLC". Then you'll have tons of signed malware coming down an encrypted pipe with a "verified" host at the other end. And you'll have all your personal data going up another pipe, similarly encrypted.
This doesn't make certificates bad, but they're not the panacea that many would believe -- they really only protect against casual sniffing and verify the data being transmitted between two (rightly) trusted points.
[ link to this | view in chronology ]
Re: Re: Re: https
And it is the casual sniffing of governments that these certificates are primarily aimed at. If use of encrypt everything means that the Governments of the world cannot keep up with the decrypting of Internet traffic in real time, then most people's privacy improves. I do not ask that the system is perfect, just strong enough to force governments to target who they spy on.
[ link to this | view in chronology ]
relevant precedent case law?
Warrant canaries seam like a speculatory concept at best to me, maybe there's something I haven't heard of yet though.
[ link to this | view in chronology ]
Re: relevant precedent case law?
[ link to this | view in chronology ]
That's a very succint explanation. Well done.
I was just reading this earlier- should be of interest to any one who would like to make conscious choices about who they trust. somewhat complex stuff unfortuantly.
https://blogs.fsfe.org/jens.lechtenboerger/2014/03/10/certificate-pinning-with-gnutls-i n-the-mess-of-ssltls/
[ link to this | view in chronology ]
0-249 = 0
1-250 = 1
2-251 = 2
etc..
Would that run afoul of anything?
[ link to this | view in chronology ]