
Ask HN: Is Let's Encrypt the new swiss crypto ag? - Coxa
Just wondering ... it does seem less far-fetched in the light of the swiss crypto ag revelations.
======
infogulch
Are you familiar with how certificates and CAs work in general? You don't
_receive_ a certificate from the CA, they just sign and _attest_ that the one
you made is owned by you. The ways CAs go bad is not breaking any crypto but
by signing a certificate that you don't own. This vulnerability is well known
and LE takes industry-leading steps to mitigate it via the certificate
transparency program which is a permanent auditable log of all certificates
they sign.

~~~
Coxa
From my understanding of the certificate transparency program does not
mitigate the threat of them simply not disclosing a certificate they signed.
Ultimately this still gives them MitM capabilities as long as they control the
traffic or am I mistaken?

~~~
DenseComet
When certificates are submitted to CT logs, they are given Signed Certificate
Timestamp by the log, which can be attached to the certificate. Chrome and
other major browsers require that every certificate has them attached and
signed by a trusted log operator, guaranteeing that each certificate is
submitted to a CT log.

[https://github.com/chromium/ct-
policy/blob/master/ct_policy....](https://github.com/chromium/ct-
policy/blob/master/ct_policy.md#qualifying-certificate)

~~~
Coxa
Seems like this is currently disabled in Firefox [1]. Do you have any sources
for Safari or MS Edge?

[1] [https://wiki.mozilla.org/PKI:CT](https://wiki.mozilla.org/PKI:CT)

------
tree3
Why are you specifically targeting LE with this post? Why not other CAs?

~~~
Coxa
Because I want to use LE and not other CAs.

~~~
throwaway3neu94
That's misguided (I'm assuming you're the server admin).

Whether you use any specific CA, like LE, or not, has no security impact.

It's about what your _users_ trust and you don't control that.

~~~
Coxa
In an ideal world I would say you're right. In practice they don't even know
who they trust.

------
jeffrallen
As a centralized piece of software that has made itself responsible for safely
massaging millions of private keys, certbot would certainly be a juicy target
for NSA to compromise.

------
smoyer
Betteridge's Law says "No" ... and given certificates are generated locally, I
don't see how the certificates themselves could be compromised. The trust in a
certificate (or trust in a false certificate) could potentially be manipulated
in by and upstream party.

~~~
45ure
The 'law' is more of an observation and generally applies to headlines. I feel
you are being overly dismissive, as a question is being asked is in a
dedicated section. There have been instances of CA's, most notably Symantec,
which have turned out to be bad apples. There is a constant stream of news
dispelling myths surrounding seemingly reputable firms regarding
encryption/privacy. Whether these incidences are related or not, discussions
like these need to be afforded a lot more leeway than most, and fleshed out,
rather than being stifled.

~~~
smoyer
I'm not arguing against having the discussion ... my point is that trust in
any certificate is reliant on its chain-of-trust and so if Let's Encrypt has
this problem, you can't trust other certificates either. But the implication
in the head-line is that the NSA/CIA are controlling Let's Encrypt. If that's
true, then we've got a real problem ... on the other hand, I think other CAs
have shown that, through incompetence or malice, they can't always be trusted
either.

~~~
nullc
HTTPS certs provide extraordinary limited security in any case, there is no
need to single out lets encrypt.

If you can receive a http request destined to the target domain (e.g. via MITM
near the real target, DNS hijacking, or route hijacking, or MITM near a CA)
then you can get a cert issued for that domain by pretty much any popular CA.

With security so limited what would be the purpose of compromising lets
encrypt?

~~~
nullc
Massive downvotes but no responses.

Is it because you accept that the security provided by HTTPS is limited but
don't like people calling that out?

It's better than nothing. But it is my perspective that as technical experts
any time we are not absolutely frank about the limitations of the current
model against powerful MITM attackers we are behaving unethically.

There is absolutely no reason for any major state attacker to compromise
letsencrypt. Beyond the weaknesses I enumerated above state actors have their
own CAs which are accepted by browsers and pinning is effectively dead (
[https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browse...](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation)
).

What exactly could a state actor hope to accomplish by compromising
letsencrypt that they couldn't already do more easily and stealthily?

------
drummer
I suppose it would be trivial for them to issue compromised certificates or
record the private key in a targetted attack for a specific domain without
anyone noticing.

~~~
advisedwang
During normal certificate issuance, they do not generate or see the private
key, so they can't compromise the certs they sign for you.

Like any other CA, they do have the technical ability to sign arbitrary other
certs, so could issue a cert for MITM. As some other comments show,
certificate transparency is starting to reduce this risk.

~~~
jeffrallen
LE does not see the private key but certbot does. Who audits certbot?

~~~
nwallin
Anyone. It's open source. You can if you'd like.

[https://github.com/certbot/certbot](https://github.com/certbot/certbot)

