Let's Encrypt Releases Transparency Report — All Zeroes Across The Board

from the now-let's-watch-if-anything-changes dept

We’ve talked a bit about the important security certificate effort being put together by EFF, Mozilla and others, called Let’s Encrypt, which will offer free HTTPS security certificates, making it much easier to encrypt the web. They’ve been busy working on the project which is set to launch in a few months. But first… Let’s Encrypt has released its first transparency report. Yes, that’s right: before it’s launched. As you might expect, there are a lot of zeros here:

This is actually pretty important for a variety of reasons. First, it clearly acts as something of a warrant canary. And by posting this now, before launch and before there’s even been a chance for the government to request information, Let’s Encrypt is actually able to say “0.” That may seem like a strange thing to say but, with other companies, the government has told them that they’re not allowed to claim “0,” but can only give ranges — such as 0 to 999 if they separate out the specific government requests, or 0 to 249 if they lump together different kinds of government orders. Twitter has been fighting back against these kinds of rules, and others have argued that revealing an accurate number should be protected speech under the First Amendment.

Let’s Encrypt is, smartly, getting this first report out there — with all the zeroes — before the government can swoop in and insist that it has to only display ranges. In other words, this is getting in before any gag order can stop this kind of thing. Smart move. It’s also nice to see them break down all of the different possible types of orders, rather than lumping them into more general buckets. That’s an important step that it would be nice to see others follow as well.

Filed Under: , , , , , , ,
Companies: let's encrypt

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Let's Encrypt Releases Transparency Report — All Zeroes Across The Board”

Subscribe: RSS Leave a comment
PaulT (profile) says:

Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!

“And the few times I do get through, you complain that I’m only complaining about being censored!”

No, we’re complaining that you’re never censored. Everyone else can read the rambling bollocks you post in every thread and then when everybody gets tired of your crap and asks for your messages top be hidden you complain falsely about being censored! Actually censoring you would be a fantastic boon to this site, but we never do that.

Anonymous Coward says:

Re: Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!

It would help if there was something that resembled being on topic in your post. Your post remains just off the front page because it brings less than nothing to the argument.

What is funny is the tag “This comment has been flagged by the community. Click here to show it.” acts like the super canary in the article. It shows both that something exists and that some people thought it was rubbish.

That One Guy (profile) says:

Re: A better (tech) option

Nah, setting it at 0 works fine, because if it changes at all, then that means they’ve received at least one order for a given category, even if they can only list the range as 0-999.

The usual government trick won’t work here, where a company can only give a range including 0, therefor making it impossible to tell if a company has received 0 orders or several, because they’ve already set the baseline, and any deviation will indicate a change.

Anonymous Coward says:

Re: Re: A better (tech) option

…except the government is likely to step in and say “you need to supply a range” at which point all those 0’s change to ranges and a number of those items get grouped together. This still doesn’t provide a warrant canary: it just proves that the government has stepped in and has meddled with the organization’s right to report. Still something, but the only thing it really tells us is when the government takes notice of this project. Unless they require that the group keep all the values at 0, even when they’re not (since it’s not illegal to lie about such things).

Village Idiot (profile) says:

Re: Re: Re: A better (tech) option

I think the point is that the government cannot come to them and require a change without first having a “legal” reason to do so, as in a gag order. A gag order really cannot be ordered on the basis of “we will probably require they let us spy on their future user base.” So by doing this before launch, the government has no grounds to issue any requirements of any kind.

HoleTurth says:

Perhaps you are failing to see the government’s sincere effort to improve efficiency and save cost for companies here.

To further ease compliance for companies, they should just go ahead and create a single bracket: “zero or more”. This would eliminate all the excessive cost associated with unnecessary reporting and save companies a zillion dollars. Moreover, it would help achieve full transparency on the topic.

Bamboo Harvester (profile) says:


I think you may be looking at this backwards. It seems very similar to “reports” I used to send around the company whenever a new database was requested, with a memo to inform me of any changes required before I cast it in stone. Add/drop fields, add/drop columns, etc.

And all the fields were filled with a single character – usually a zero, just to keep the formatting correct.

Anonymous Coward says:

Re: Re: https

Trust me; it’s been studied in-depth already.

TLS has a number of roles to play in network communications:
1) encrypt data to protect it from sniffing in-transit
2) authenticate data to verify it came from whom you expect
3) sign data so you know you got only the data you were expecting

Now here’s how it breaks:
1) man-in-the-middle servers that sign with an alternate certificate. This can be done on the client (SuperFish), at the network edge (many gateway prodcuts), or anywhere upstream that has access to a trusted certificate on the client.
2) Yeah, this is broken at a number of levels, relating to item 1 — there are many entities out there that can fake or phish the sender identity. Web of Trust helps a bit here, but the traditional methods (whitelist/blacklist) tend to fail, as the blacklists are improperly implemented in most places. How do you trust authenticity when most major governments have access to root certs?
3) This is actually still pretty safe; TLS itself has withstood most cracking attempts, and as a result, you’re likely to have received exactly what the sender sent. The only issue here is that you have no way to 100% verify that the sender was who you thought it was, unless you got the signing certificate directly from them via a separate channel, and know that nobody else has access to their root certificate.

Aside from all this, verts generally work by exclusivity; the fewer organizations who have certificates, the more secure they are. If you remove the barriers to entry so that anyone can get a certificate, then that means that while a cert may be valid, it becomes more difficult to figure out if the person who owns the certificate is trustworthy in the first place.

If certificates are free, than you can rest assured that some botnet is going to have all its nodes registering bogus certificates that it can rotate through, giving the CNs all sorts of names, from “Bankof America” to “Aqqle” to “Trusted Update Pty, LLC”. Then you’ll have tons of signed malware coming down an encrypted pipe with a “verified” host at the other end. And you’ll have all your personal data going up another pipe, similarly encrypted.

This doesn’t make certificates bad, but they’re not the panacea that many would believe — they really only protect against casual sniffing and verify the data being transmitted between two (rightly) trusted points.

Anonymous Coward says:

Re: Re: Re: https

they really only protect against casual sniffing

And it is the casual sniffing of governments that these certificates are primarily aimed at. If use of encrypt everything means that the Governments of the world cannot keep up with the decrypting of Internet traffic in real time, then most people’s privacy improves. I do not ask that the system is perfect, just strong enough to force governments to target who they spy on.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...