Indeed. However, it's important to note that even if someone does MITM letsencrypt.org, they only see your public key and CSR. The private keys never get sent over the wire, so you don't risk leaking your private keys. However, a MITM could issue you a fake certificate that doesn't chain back to the Let's Encrypt root. This risk isn't any more than the way most CAs do it now (they email you the signed certificate).
The threat is that Google (perhaps forced by the NSA, perhaps only for some users) modifies Chrome to include code that logs all keystrokes or specifically detects the Signal extension (or standalone app if Chrome is also installed) and uploads the plaintext of all messages to Google or to the NSA.
In other words, you have to trust Google to not insert such a trojan by itself and to not bow down to the U.S. government should it try to secretly force Google to do so.
You also have to trust that their security is good enough to prevent third parties from covertly performing such a feat.
That's not say that Google should not be trusted or should be trusted less than other parties, but that's the threat.
hmmm, one thing we could really use is some tests. Maybe you could write some simple capybara/rspec or equivalent integration tests for the site, just to make sure that its parts are functioning correctly?
It's more like you want a linter with custom rules for how you think a page should look. Actually, it's impressive to create the entire site with only content and simple layout. It's interesting there isn't a better way to manage and edit all that content...
508 Compliance is another interesting point. Open source scanner to assess if a page complies? It's another linter, it has to look at the html. I don't know much about 508 but I'm going to say from a quick look at your <html> that it's as clean as you could possibly hope for, and I would expect that latest screen reading tools would be able to navigate it. If that's not the case it says more about the particular reading tool than the website.
The facility locator! That was interesting, the default state is everything selected, please flip it to everything deselected. I haven't tried it out more because it overloaded ;-)
Benefits comparison tool also looks like it has a pretty big data set behind it, that was probably cool to develop.
I wouldn't say it's a philosophical difference. We're definitely tackling the problem in two different ways, but that's not because either group thinks the other is wrong, it's because this is a big problem that requires attacking it from many angles.
Why do you put it that way? Everyone serving in military takes home a paycheck, but that doesn't make them mercinaries.
The top tech talent that we aim to attract to USDS often can make far more than these salaries staying in the private sector, so appealing to a sense of civic duty and offering short-term engagements is what we have to do to recruit.
Honestly, that's much better than I was expecting. Two years working to improve our shitty government systems in exchange for a quarter of a million? Sounds like a fair short-term deal, even if higher comp is available elsewhere...
The actually-doing-tech-work GS levels (GS-10 to GS-13), by comparison, are 50-60k. That is where government pay is still the big impediment.
$116k/yr for your entire mid/late career would also suck (compared to 200-400k in industry), but for <2 years, I can't see that alone being a huge issue, unless you have kids in college, are paying for a mortgage elsewhere, etc.