Recent searches
Search options
Let’s Encrypt at risk from Trump cuts to OTF: “Let’s Encrypt received around $800,000 in funding from the OTF”
Dear @EUCommission, get your heads out of your arses and let’s find @letsencrypt €1M/year (a rounding error in EU finances) and have them move to the EU.
If Let’s Encrypt is fucked, the web is fucked, and the Small Web is fucked too. So how about we don’t let that happen, yeah?
(In the meanwhile, if the Let’s Encrypt folks want to make a point about how essential they are, it might be an idea to refuse certificates to republican politicians. See how they like their donation systems breaking in real time…)
CC @nlnet @NGIZero@mastodon.xyz
#USA #fascism #OpenTechFund #LetsEncrypt #SSL #TLS #encryption #EU #web #tech #SmallWeb #SmallTech https://mastodon.social/@publictorsten/114223873439053263
The main problem is the bureaucracy associated for this. Another issue is the ownership control of the organisation (DEP Cybersecurity), the organisation needs to be controlled by EU citizen and located in EU.
@a @EUCommission @letsencrypt @nlnet None of that is insurmountable or even hard. Could be done in a week if the political will was there. It’s such a low hanging fruit.
@aral I really would like to share your optimism too.
If I can help in some ways, let me know. I was tracking the RFA budget withdraw and wondering how long OTF can survive without the funding.
@a @aral We don't need to move Let's Encrypt to the EU. We need to run a EU-based equivalent, and make it so that the infrastructure they run is easily replicated.
As this development clearly demonstrates, Let's Encrypt is a single point of failure. It was never a good idea. It was just a less bad idea than others.
And no, that's absolutely not suggesting they didn't do great work. This is about designing for resilience.
@aral @a @EUCommission @letsencrypt @nlnet While I agree, given the amount of "hey could you please put a back door in the chat app?" bullshit that European governments have once again regressed to recently, I'm not particularly hopeful about the "political will" part
@vanderZwan @aral @a @EUCommission @letsencrypt @nlnet US agencies can have back doors without even asking. How is that better?
@ptesarik
Well you're bringing up that comparison, not me, so I wouldn't know.
I'm just venting my frustration with the fact that yes, this could be easily fixed if not for the part where the political will among the majority of the elected (and extremely indirectly elected so practically unelected) politicians is missing.
@aral @EUCommission @letsencrypt @nlnet I'm happy to donate.
@TheDutchChief @EUCommission @letsencrypt @nlnet Thank you, but you shouldn’t have to. You pay your taxes? That should be enough. This should be public infrastructure.
@aral :
I don't want to pay a cent. Neither donate, nor via taxes.
@aral @EUCommission @letsencrypt @nlnet
I wish Australia would do something too, but we can't even organise an SSL certificate for a frequently accessed website like the national weather service...
@aral @EUCommission @letsencrypt @nlnet Google and other large tech companies can also make up the difference, assuming they're funding it already. If not, they certainly should.
@AlesandroOrtiz @EUCommission @letsencrypt @nlnet I’d rather we (the EU, via our taxpayer money) had more of a role than Google for reasons I don’t believe I have to restate in 2025.
@aral @EUCommission @letsencrypt @nlnet Fair enough. As long as the same private companies that benefit from LE pay their fair share of taxes too, we're roughly on the same page.
These companies and their users benefit from a more secure web, so they should pay for that, directly or indirectly.
In this case, I also doubt private companies would let LE be abandoned since it requires active maintenance costs in servers, etc. (vs. open source software they use which generally doesn't have public/expensive external infrastructure).
@aral they can't. that'd completely go against their values.
this is like asking them to refuse letsencrypt in Russia, they can't. it's an automated certificate system, they can't just prevent the issuing certificates simply because of their party.
even big websites, like the national security agency, and even whitehouse.gov use letsencrypt as well, so it wouldn't be a good sign for anyone.
@adisonverlice If "following your values" prevents you from taking material action to impede the advance of nazis, you need to reevaluate or reprioritize your values.
@dalias I see where you're going with this. but again, let's put out the hypothetical senarios that the letsencrypt foundation stopped the (nazi's) stopped issuing certificates for them.
again, this will not slow them down, as again, they can turn to other paid providers who will gladly do it to them. again, take digicert. they issue certs for almost all of the government sites becides the NSA and few others. for example, https://www.defense.gov uses digicert. so if the (nazi's) wanted to, they could simply use digicert, it's not out of their budget. also, don't forget about GTS (google trust services) and also cloud flare.
so it would slow them down at best, do nothing at worst
@dalias also keep in mind they issue certificates to, everyone, who requests them. it could be a small web dev like myself, it could be the ritch politition in America, they will issue certs for literally anyone.
"Let's Encrypt is a global Certificate Authority (CA). We let people and organizations around the world obtain, renew, and manage SSL/TLS certificates."
@adisonverlice @dalias "Everyone" excepts those the US government doesn't like. They don't issue (and revoke them if they did) to entities under US sanctions.
I will agree letsencrypt absolutely needs money to keep the lights on. and if worst comes to worst, hopefully they will move to EU. what I don't agree with is removing certificates from politicians that are in a different party
@adisonverlice s/politicians that are in a different party/nazis committing genocide and on the path to obliterating democracy/
also, this wouldn't prevent shit because the federal government can either use digicert (which is what some agencies use for certificate generation) or Google trust services PKI.
google trust services also issues automated I believe.
so simply doing that to letsencrypt wouldn't exactly, hurt, politicians. they have money we don't, so issuing digicert, sectigo or even entrust is something they can absolutely do
@aral @EUCommission @nlnet call me weird but the developments of @letsencrypt vs. @cacert shows everything wrong with the way #SSL works.
We would've had a superior alternative to #LetsEncrypt if #GAFAMs weren't able or even allowed to cockblock #CACert by refusing to import it's ROOT-CA, whilst every commercial #CA gets their keys imported, no matter how shit they are or that they are essentially a hostile state actor!
@kkarhan @EUCommission @nlnet @letsencrypt @cacert Yes, I’ve been yelling from the top of my lungs that core Internet infrastructure like domain names, DNS, and TLS certificates should be public infrastructure for as long as I can remember. These are perfect examples of manufactured scarcity.
@aral @EUCommission @nlnet @letsencrypt @cacert not only that, I think we need self-governing namespaces similar to @torproject #OnionServices (even tho they are prone to #typosquatting-esque #sibil/#EvilTwin-style #phishing attacks!)...
Or a federated TLD/root system. Alternate roots exist, but nothing can achieve universality under the current Internet regime.
@gharbeia @aral @EUCommission I mean, #OpenNIC works as an alternative rootzone, and #NameDotSpace allegedly failed at sueing #ICANN for their monopoly.
As for #certificates, @cacert iron'd out that ages ago...
@kkarhan @aral
I had these two in mind as I wrote, but again, under current internet regime, they have no place, and forced to remain niche. But AFAIK, both alternate roots wanted in into the coalition, while I aspire for a [con]federate of roots.
I'm in @cacert since mid 2000s, and still have the record of the tragedy in my mailbox archive.
@BenBen @sovtechfund Thanks :)
CC: @EUCommission@ec.social-network.europa.eu @letsencrypt@infosec.exchange @nlnet@nlnet.nl
@aral I totally understand what you're saying and I'm behind it too. But you should still remember that before Letsencrypt there was already Internet and it wasn't broken. It just got prettier.
@gideonstar @aral It got more dangerous is what you mean, which is why @letsencrypt was needed.
It got more secure. Used to be that if you checked your email on an open wifi network anyone else on that network could follow along until email providers started using SSL.
@gideonstar @aral that might have been true back then. Nowadays you wouldn't get very far without an SSL certificate or a self-signed one
@aral Or let's use the protocol they created - ACME - to create more independent CA, EU-based ! https://github.com/tdelmas/Let-s-Clone
@tdelmas Nice + yep, we could have an EU-based provider and regulate so that browsers must accept them.
And have it work with OpenNIC so we can decouple domain names from the artificial scarcity of the commercial ICAAN.
@aral Also, the problem is not only the funding. Under US law, they can't issue certificates to anybody under US-sanctions. It's only by chance that the International Criminal Court (https://www.whitehouse.gov/presidential-actions/2025/02/imposing-sanctions-on-the-international-criminal-court/) was not impacted.
@tdelmas Good shout. Yes. And what’s the use of a standard if there aren’t multiple implementations?
@tdelmas this is something I’d very much like to get behind to make happen, if you were organising towards it
The first step would be to create a non-profit structure.
Then set up the infrastructure.
Once the structure and the infrastructure is strong, then comes the "getting accepted into certificate stores", which is a multi-year-long process, that needs to be bootstrapped by a cross-signature from an already accepted CA. Maybe @letsencrypt could help for that (or a commercial CA for a fee).
@tdelmas @aral are you not aware of the other ACME-capable CAs? Two of the fives CAs listed here are based in Europe. And I don't know if it's an exhaustive list.
https://acmeclients.com/certificate-authorities/
” 
@aral @EUCommission @letsencrypt @nlnet
Sounds like you need to give Jack Chambers' office a call. Wish I had a way in for you. Any chance you know someone with clout? (possibly your good self, I don't know!)
@aral @EUCommission @letsencrypt @nlnet Oh, that would be sweet!