Hacker News new | ask | show | jobs
by bflesch 155 days ago
Thank you, I missed the part with several "top of the chain" providers. So all of them would need to go down at the same time for things to really stop working.

How many "top of chain" providers is letsencrypt using? Are they a single point of failure in that regard?

I'd imagine that other "top of chain" providers want money for their certificates and that they might have a manual process which is slower than letsencrypt?
2 comments
mholt 155 days ago
LE has 2 primary production data centers: https://letsencrypt.status.io/

But in general, one of the points of ACME is to eliminate dependence on a single provider, and prevent vendor lock-in. ACME clients should ideally support multiple ACME CAs.

For example, Caddy defaults to both LE and ZeroSSL. Users can additionally configure other CAs like Google Trust Services.

This document discusses several failure modes to consider: https://github.com/https-dev/docs/blob/master/acme-ops.md#if...

link
cpach 155 days ago
“Are they a single point of failure in that regard?”

It depends. If the ACME client is configured to only use Let’s Encrypt, then the answer is yes. But the client could fall-back to Google’s CA, ZeroSSL, etc. And then there is no single point of failure.

link
bflesch 155 days ago
Makes sense. I assume each of them is in control and at the whims of US president?
link
cpach 155 days ago
It seems that currently most free CAs have a big presence in the US, and employ quite a few US employees.

ZeroSSL/HID Global seems to be quite multi-national though, and it’s owned by a Swedish company (Assa Abloy).

I don’t know what what kind of mitigations these orgs have in place if the shit really hits the fan in the US. It’s an interesting question for sure.

link
iso1631 155 days ago
Fundamentally, Microsoft, Google and Apple are all run by American citizens living in America. Firefox is pretty much the same.

The US has strong institutions which prevent the President or Government at large controlling these on a whim. If those institutions fail then they could all push out an update which removes all "top of chain" trusted certificate authorities other than ones approved by the US government.

In that situation the internet is basically finished as it stands now, and the OSes would be non-trustworthy anyway.

Fixing the SSL problems is the easy part, the free world would push its own root certificate out -- which people would have to manually install from a trusted source, but that's nothing compared to the real problem.

Sure, Ubuntu, Suse etc aren't based in the US, but the number of phones without a US based OS is basically zero, you'd have to start from scratch with a forked version of android which likely has NSA approved backdoors in it anyway. Non-linux based machines would also need to be wiped.

link
alwillis 154 days ago
> Makes sense. I assume each of them is in control and at the whims of US president?

Absolutely not.

If the president attempted to force a US-based CA to do something bad they don't want to do, they would sue the government. So far, this administration loses 80% of the lawsuits brought against it.

link
iso1631 154 days ago
You're putting a lot of trust in US institutions (courts etc). The rest of the world is starting to see them as not a strong and independent as they were once assumed.

And that's before more overt issues. Microsoft/Google/etc could sue to stop the US ordering them to do what they should. Is the CEO really willing to risk their life to do that? Be a terrible shame if their kids got caught up in a traffic accident.

link
alwillis 151 days ago
> You're putting a lot of trust in US institutions (courts etc)

I don't have a lot of trust in US institutions actually. The most powerful universities, corporations and law firms have capitulated to him.

So far, the tech companies have placated Trump by contributing to his causes and heaping praise upon him and not speaking out regarding the tariffs. That's enough for now.

> Is the CEO really willing to risk their life to do that?

We're not at that point; at least not so far. Besides, it's much easier to blackmail them for more money or for the Department of Justice to open an investigation or to stop a merger they want to do.

Also these companies aren't just sitting around doing nothing. Apple reworked their supply chain; all iPhones sold in the US are now made in India.

link
mholt 155 days ago
They are not in control of the US president.
link
bflesch 155 days ago
I'm pretty sure that the .org TLD can be shut off by the US at any point in time.
link
iso1631 155 days ago
Lets Encrypt do not control the US president.

You could argue that The Don in charge of the US is in control of letsencrypt

link
bflesch 154 days ago
Yeah, it's a bit far fetched but after Cloudflare CEO basically threatening to cut off Italy I was wondering what would happen if US really invades Greenland.

A simple windows to linux migration is not enough. If certificates expire without a way to refresh you'd either need to manually touch every machine to swap root certificates or have some of other contingency plan.

link
alwillis 154 days ago
> You could argue that The Don in charge of the US is in control of letsencrypt

He's not in control of letsencrypt or any other US-based CA.

It may not be well known, but Trump's administration loses about 80% of the time when they've been sued by companies, cities and states.

There's much more risk of state-sponsored cyber attacks against US companies.

link
cpach 155 days ago
That’s not relevant though. These CAs will gladly give you a .se/.dk/.in/whatever cert as long as validation passes.
link
bflesch 154 days ago
I hope so, but can we really be sure that .se or .de would still work in such a scenario? Is the TLD root management really split up vertically or is the (presumably US-based) TLD parent organization also the final authority for every country TLD?

It would be nice to at least have a very high level contingency plan because in worst case I won't be able to google it.

link