Let's Encrypt Releases Transparency Report — All Zeroes Across The Board
from the now-let's-watch-if-anything-changes dept
We’ve talked a bit about the important security certificate effort being put together by EFF, Mozilla and others, called Let’s Encrypt, which will offer free HTTPS security certificates, making it much easier to encrypt the web. They’ve been busy working on the project which is set to launch in a few months. But first… Let’s Encrypt has released its first transparency report. Yes, that’s right: before it’s launched. As you might expect, there are a lot of zeros here:
Let’s Encrypt is, smartly, getting this first report out there — with all the zeroes — before the government can swoop in and insist that it has to only display ranges. In other words, this is getting in before any gag order can stop this kind of thing. Smart move. It’s also nice to see them break down all of the different possible types of orders, rather than lumping them into more general buckets. That’s an important step that it would be nice to see others follow as well.
Filed Under: fisa orders, nsls, security certificates, surveillance, transparency, transparency report, warrant canary, warrants
Companies: let's encrypt
Comments on “Let's Encrypt Releases Transparency Report — All Zeroes Across The Board”
No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!
And the few times I do get through, you complain that I’m only complaining about being censored!
Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!
man what
Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!
“And the few times I do get through, you complain that I’m only complaining about being censored!”
No, we’re complaining that you’re never censored. Everyone else can read the rambling bollocks you post in every thread and then when everybody gets tired of your crap and asks for your messages top be hidden you complain falsely about being censored! Actually censoring you would be a fantastic boon to this site, but we never do that.
Re: Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!
It would help if there was something that resembled being on topic in your post. Your post remains just off the front page because it brings less than nothing to the argument.
What is funny is the tag “This comment has been flagged by the community. Click here to show it.” acts like the super canary in the article. It shows both that something exists and that some people thought it was rubbish.
A better (tech) option
Pardon the pedantry but if the government is likely to force a range of 0 – n then NULLs would be a much better warrant canary at this stage.
Re: A better (tech) option
Except that the gov’t would see right through that pedantic game and say that for their rules, zero and null are the same.
Re: A better (tech) option
Nah, setting it at 0 works fine, because if it changes at all, then that means they’ve received at least one order for a given category, even if they can only list the range as 0-999.
The usual government trick won’t work here, where a company can only give a range including 0, therefor making it impossible to tell if a company has received 0 orders or several, because they’ve already set the baseline, and any deviation will indicate a change.
Re: Re: A better (tech) option
…except the government is likely to step in and say “you need to supply a range” at which point all those 0’s change to ranges and a number of those items get grouped together. This still doesn’t provide a warrant canary: it just proves that the government has stepped in and has meddled with the organization’s right to report. Still something, but the only thing it really tells us is when the government takes notice of this project. Unless they require that the group keep all the values at 0, even when they’re not (since it’s not illegal to lie about such things).
Re: Re: Re: A better (tech) option
This still doesn’t provide a warrant canary: it just proves that the government has stepped in and has meddled with the organization’s right to report.
Paradox warning! That’s exactly what a canary is designed for.
Re: Re: Re: A better (tech) option
I think the point is that the government cannot come to them and require a change without first having a “legal” reason to do so, as in a gag order. A gag order really cannot be ordered on the basis of “we will probably require they let us spy on their future user base.” So by doing this before launch, the government has no grounds to issue any requirements of any kind.
Re: Re: A better (tech) option
Yeah. The usual trick of requiring 0-999 basically gives the gov’t 999 “free passes”.
Perhaps you are failing to see the government’s sincere effort to improve efficiency and save cost for companies here.
To further ease compliance for companies, they should just go ahead and create a single bracket: “zero or more”. This would eliminate all the excessive cost associated with unnecessary reporting and save companies a zillion dollars. Moreover, it would help achieve full transparency on the topic.
sdrawcaB
I think you may be looking at this backwards. It seems very similar to “reports” I used to send around the company whenever a new database was requested, with a memo to inform me of any changes required before I cast it in stone. Add/drop fields, add/drop columns, etc.
And all the fields were filled with a single character – usually a zero, just to keep the formatting correct.
And that’s how you do it. It would be nice if more companies offered such detailed transparency reports/warrant canaries.
https
“which will offer free HTTPS security certificates, making it much easier to encrypt the web. “
What i am wondering if this is good or not. When everyone uses https will this lead to less secure https? Since it is worth more to make breaks? Like there were no viruses for mac…??
Greets,
Rob Veld
ValueBlue
Re: https
Thats a really good question.
I am not sure about this, but this is worth studying.
Re: Re: https
Trust me; it’s been studied in-depth already.
TLS has a number of roles to play in network communications:
1) encrypt data to protect it from sniffing in-transit
2) authenticate data to verify it came from whom you expect
3) sign data so you know you got only the data you were expecting
Now here’s how it breaks:
1) man-in-the-middle servers that sign with an alternate certificate. This can be done on the client (SuperFish), at the network edge (many gateway prodcuts), or anywhere upstream that has access to a trusted certificate on the client.
2) Yeah, this is broken at a number of levels, relating to item 1 — there are many entities out there that can fake or phish the sender identity. Web of Trust helps a bit here, but the traditional methods (whitelist/blacklist) tend to fail, as the blacklists are improperly implemented in most places. How do you trust authenticity when most major governments have access to root certs?
3) This is actually still pretty safe; TLS itself has withstood most cracking attempts, and as a result, you’re likely to have received exactly what the sender sent. The only issue here is that you have no way to 100% verify that the sender was who you thought it was, unless you got the signing certificate directly from them via a separate channel, and know that nobody else has access to their root certificate.
Aside from all this, verts generally work by exclusivity; the fewer organizations who have certificates, the more secure they are. If you remove the barriers to entry so that anyone can get a certificate, then that means that while a cert may be valid, it becomes more difficult to figure out if the person who owns the certificate is trustworthy in the first place.
If certificates are free, than you can rest assured that some botnet is going to have all its nodes registering bogus certificates that it can rotate through, giving the CNs all sorts of names, from “Bankof America” to “Aqqle” to “Trusted Update Pty, LLC”. Then you’ll have tons of signed malware coming down an encrypted pipe with a “verified” host at the other end. And you’ll have all your personal data going up another pipe, similarly encrypted.
This doesn’t make certificates bad, but they’re not the panacea that many would believe — they really only protect against casual sniffing and verify the data being transmitted between two (rightly) trusted points.
Re: Re: Re: https
And it is the casual sniffing of governments that these certificates are primarily aimed at. If use of encrypt everything means that the Governments of the world cannot keep up with the decrypting of Internet traffic in real time, then most people’s privacy improves. I do not ask that the system is perfect, just strong enough to force governments to target who they spy on.
relevant precedent case law?
What is the precedent case law that establishes that the government can’t make a company lie in such a situation?
Warrant canaries seam like a speculatory concept at best to me, maybe there’s something I haven’t heard of yet though.
Re: relevant precedent case law?
Perhaps a company that was ordered to lie would do it badly on purpose. If this text changes in anyway it is an indication that prevarication is going on. So when the 0s become zeros you know some one has intervened.
@13
That’s a very succint explanation. Well done.
I was just reading this earlier- should be of interest to any one who would like to make conscious choices about who they trust. somewhat complex stuff unfortuantly.
https://blogs.fsfe.org/jens.lechtenboerger/2014/03/10/certificate-pinning-with-gnutls-in-the-mess-of-ssltls/
Even if they are later required to do ranges, can they not just do a wink and a nod such as:
0-249 = 0
1-250 = 1
2-251 = 2
etc..
Would that run afoul of anything?