Commons-based (independent org funded by EU taxpayer money) Let’s Encrypt compatible ACME certificate provider now, please.
-
@aral @EUCommission I'm sure someone in Russia can step up to provide certificates usable in places sanctioned by the U$
@LukefromDC @EUCommission Thanks but no thanks.
-
@i @EUCommission And, yet again, it’s a commercial enterprise.
@aral indeed. But you need orgs like these and other PKI operators to be able to create a CA that can compete with LE.
Let's Encrypt founding sponsors and partners include Cisco and Akamai. They are also sponsored ATM by Google, Microsoft, etc.
@EUCommission -
@aral indeed. But you need orgs like these and other PKI operators to be able to create a CA that can compete with LE.
Let's Encrypt founding sponsors and partners include Cisco and Akamai. They are also sponsored ATM by Google, Microsoft, etc.
@EUCommission@i @EUCommission Right, what I’m saying is that we need to fund not a business but an org for in the common good so it’s free as in freedom not free as the free tier.
-
@LukefromDC @EUCommission Thanks but no thanks.
@aral @EUCommission The point is really that US sanctions are now so widespread as to encourage nations sanctioned by the US to cooperate with oneanother regardless of other factors short of direct war or invasion between one and another.
By blocking use of Lets Encrypt in sanctioned countries, the US is ceding ground to Russia at the expense of countries like Ukraine. They are dreaming if they think people will go back to straight http over this.
-
RE: https://mstdn.social/@hkrn/116718376973617082
Commons-based (independent org funded by EU taxpayer money) Let’s Encrypt compatible ACME certificate provider now, please.
CC @EUCommission (Unless you want Europe’s online security to be another bargaining chip for Trump et al.)
-
RE: https://mstdn.social/@hkrn/116718376973617082
Commons-based (independent org funded by EU taxpayer money) Let’s Encrypt compatible ACME certificate provider now, please.
CC @EUCommission (Unless you want Europe’s online security to be another bargaining chip for Trump et al.)
Basing anything on US policy generally is questionable; basing it on US policy right now is bananabonkers.
If it had said "UN sanctioned" or "EU sanctioned", that would be another matter entirely.
-
@aral Actalis has actually comparable services as Let's Encrypt. But it's not as advances or stable as LE in my opinion.
https://www.actalis.com/activate-free-plan
@EUCommission@i @aral @EUCommission Not really comparable when the free option is limited to a single domain SAN (with optional www variant) and no wildcards. It’s just a loss leader from a commercial CA trying to attract new paying customers.
-
RE: https://mstdn.social/@hkrn/116718376973617082
Commons-based (independent org funded by EU taxpayer money) Let’s Encrypt compatible ACME certificate provider now, please.
CC @EUCommission (Unless you want Europe’s online security to be another bargaining chip for Trump et al.)
@EUCommission By the way, in case you’re wondering, this means that apart from folks in Cuba and Iran not being able to use Let’s Encrypt, neither can the UN Special Rapporteur for Palestine, Francesca Albanese nor the ~11 International Criminal Court judges and other officials that are being persecuted for opposing Israel’s ongoing genocide of the Palestinian people and their efforts to bring the war criminals responsible to justice.
#LetsEncrypt #USA #fascism #israel #genocide #sanctions #EU #sovereignty
-
@aral @EUCommission I'm sure someone in Russia can step up to provide certificates usable in places sanctioned by the U$
@LukefromDC @aral @EUCommission
Nobody even in Russia itself wants to install Russian government controlled CA on their devices. -
@LukefromDC @aral @EUCommission
Nobody even in Russia itself wants to install Russian government controlled CA on their devices.@tiredbun @EUCommission @aral I was more thinking Russian 3ed parties than the government itself unless Putin has banned that.
If there's one thing less safe than encryption with a Russian certificate, it's going back to plain http, which can be read and monitored by ISPs and sometimes even a hostile party on coffeeshop witi.
-
@aral not commons, and it requires an account, but a free and Italian option for people in the meantime: https://www.actalis.com/subscription
@jonah @aral creating a new one is useless in the short term because of the amount of time it takes to get the new CA propagated into all the OS and browser CA trust stores by default (it will take years)
this is something that should have been done many years ago.
but instead how about we just abolish the entire centralized CA system? -
@tiredbun @EUCommission @aral I was more thinking Russian 3ed parties than the government itself unless Putin has banned that.
If there's one thing less safe than encryption with a Russian certificate, it's going back to plain http, which can be read and monitored by ISPs and sometimes even a hostile party on coffeeshop witi.
@LukefromDC @EUCommission @aral
I would generally treat any CA hosted in Russia as potentially controlled by government, due to it being a big and noticeable piece of public infrastructure that requires a lot of trust. (From my understanding, having CA root certificate installed to device or browser means it can potentially do MITM on any site browsed on it, not just ones actually signed by that CA.)
It may be a "third party" but actually a front for a big company with close ties to government (happened with third party telegram client). Other possibility, hardware running it may be seized in a police raid at any moment, to avoid being raided company behind CA would have to answer every polite police request to give any data and potentially to do MITM attacks on their behalf.
Also, Russian government may shut down any company that works with "extremists" and in general whatever is forbidden by law (a lot, and in very vague way), meaning this CA will only be useful only to sqeaky clean sites that avoid politics or ones specifically licking boots of current russian government.
With that, most people in Russia itself (knowledgeable enough about CA) would prefer any foreign one over any local one. Though I guess, for most people not in Russia it may actually be not as bad, depending on their threat model and whether they want to make everyone using their site to have to install a third party root CA certificate that will likely never come preinstalled. -
@LukefromDC @EUCommission @aral
I would generally treat any CA hosted in Russia as potentially controlled by government, due to it being a big and noticeable piece of public infrastructure that requires a lot of trust. (From my understanding, having CA root certificate installed to device or browser means it can potentially do MITM on any site browsed on it, not just ones actually signed by that CA.)
It may be a "third party" but actually a front for a big company with close ties to government (happened with third party telegram client). Other possibility, hardware running it may be seized in a police raid at any moment, to avoid being raided company behind CA would have to answer every polite police request to give any data and potentially to do MITM attacks on their behalf.
Also, Russian government may shut down any company that works with "extremists" and in general whatever is forbidden by law (a lot, and in very vague way), meaning this CA will only be useful only to sqeaky clean sites that avoid politics or ones specifically licking boots of current russian government.
With that, most people in Russia itself (knowledgeable enough about CA) would prefer any foreign one over any local one. Though I guess, for most people not in Russia it may actually be not as bad, depending on their threat model and whether they want to make everyone using their site to have to install a third party root CA certificate that will likely never come preinstalled.In some places a US certificate (or even more so an OS or program) is more dangerous than a Russian or Chinese one on the basis of who the spyware (MITM "certificate" that lets attacker decrypt and resend content) answers to.
For someone in the US government or someone representing Ukranian interests a Russian certificate would be a big problem unless marked untrusted and approved at every use for only the sites needing it, which in turn could not be trusted.
For someone OPPOSING the US government, its a bit more complex given the Trump-Putin relationship. In a 3ed party nation opposed by the US but without a Russian influence operation trying to take over, the US certificate becomes the dangerous one.
Similarily, Russian antiwar activists should not trust anything from the US due to the likelihood of the take from US spyware making its way to Putin via Trump and his minions.
-
@jonah @aral creating a new one is useless in the short term because of the amount of time it takes to get the new CA propagated into all the OS and browser CA trust stores by default (it will take years)
this is something that should have been done many years ago.
but instead how about we just abolish the entire centralized CA system?@feld @aral @jonah Centralization in encryption is itself a risk. Suppose the US government served Lets Encrypt and other keystores with a court order to add government-controlled certificates to allow MITM attacks, plus a gag order?
These are not anarchists, they usually don't burn grand jury subpeonas and destroy data to keep it out of the hands of those who are our enemies but not their enemies.
-
In some places a US certificate (or even more so an OS or program) is more dangerous than a Russian or Chinese one on the basis of who the spyware (MITM "certificate" that lets attacker decrypt and resend content) answers to.
For someone in the US government or someone representing Ukranian interests a Russian certificate would be a big problem unless marked untrusted and approved at every use for only the sites needing it, which in turn could not be trusted.
For someone OPPOSING the US government, its a bit more complex given the Trump-Putin relationship. In a 3ed party nation opposed by the US but without a Russian influence operation trying to take over, the US certificate becomes the dangerous one.
Similarily, Russian antiwar activists should not trust anything from the US due to the likelihood of the take from US spyware making its way to Putin via Trump and his minions.
@LukefromDC @EUCommission @aral
Good point, though to my knowledge, US doesn't do MITMs and police raids on behalf of Russia YET, and US companies in general are at less pressure from US government, so it's more of potential threat than one I could assume is used in practice right now, like with Russian certificates.
That's a whole can of worms with how SSL root of trust is right now, where current default security features like root CAs are potentially worse than self-signed certificates depending on threat model. -
J jeppe@uddannelse.social shared this topic
