Let's Encrypt Releases Transparency Report -- All Zeroes Across The Board

from the now-let's-watch-if-anything-changes dept

We've talked a bit about the important security certificate effort being put together by EFF, Mozilla and others, called Let's Encrypt, which will offer free HTTPS security certificates, making it much easier to encrypt the web. They've been busy working on the project which is set to launch in a few months. But first... Let's Encrypt has released its first transparency report. Yes, that's right: before it's launched. As you might expect, there are a lot of zeros here:
This is actually pretty important for a variety of reasons. First, it clearly acts as something of a warrant canary. And by posting this now, before launch and before there's even been a chance for the government to request information, Let's Encrypt is actually able to say "0." That may seem like a strange thing to say but, with other companies, the government has told them that they're not allowed to claim "0," but can only give ranges -- such as 0 to 999 if they separate out the specific government requests, or 0 to 249 if they lump together different kinds of government orders. Twitter has been fighting back against these kinds of rules, and others have argued that revealing an accurate number should be protected speech under the First Amendment.

Let's Encrypt is, smartly, getting this first report out there -- with all the zeroes -- before the government can swoop in and insist that it has to only display ranges. In other words, this is getting in before any gag order can stop this kind of thing. Smart move. It's also nice to see them break down all of the different possible types of orders, rather than lumping them into more general buckets. That's an important step that it would be nice to see others follow as well.

Filed Under: fisa orders, nsls, security certificates, surveillance, transparency, transparency report, warrant canary, warrants
Companies: let's encrypt


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    The Onion Router, 2 Jul 2015 @ 7:33pm

    No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!

    And the few times I do get through, you complain that I'm only complaining about being censored!

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 2 Jul 2015 @ 11:29pm

      Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!

      man what

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 3 Jul 2015 @ 12:09am

      Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!

      "And the few times I do get through, you complain that I'm only complaining about being censored!"

      No, we're complaining that you're never censored. Everyone else can read the rambling bollocks you post in every thread and then when everybody gets tired of your crap and asks for your messages top be hidden you complain falsely about being censored! Actually censoring you would be a fantastic boon to this site, but we never do that.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Jul 2015 @ 10:15am

        Re: Re: No news is good news, eh? -- It's like the censoring here: if no one complains, must not be any!

        It would help if there was something that resembled being on topic in your post. Your post remains just off the front page because it brings less than nothing to the argument.

        What is funny is the tag "This comment has been flagged by the community. Click here to show it." acts like the super canary in the article. It shows both that something exists and that some people thought it was rubbish.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Jul 2015 @ 9:43pm

    A better (tech) option

    Pardon the pedantry but if the government is likely to force a range of 0 - n then NULLs would be a much better warrant canary at this stage.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Jul 2015 @ 9:48pm

      Re: A better (tech) option

      Except that the gov't would see right through that pedantic game and say that for their rules, zero and null are the same.

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 2 Jul 2015 @ 9:59pm

      Re: A better (tech) option

      Nah, setting it at 0 works fine, because if it changes at all, then that means they've received at least one order for a given category, even if they can only list the range as 0-999.

      The usual government trick won't work here, where a company can only give a range including 0, therefor making it impossible to tell if a company has received 0 orders or several, because they've already set the baseline, and any deviation will indicate a change.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Jul 2015 @ 9:10am

        Re: Re: A better (tech) option

        ...except the government is likely to step in and say "you need to supply a range" at which point all those 0's change to ranges and a number of those items get grouped together. This still doesn't provide a warrant canary: it just proves that the government has stepped in and has meddled with the organization's right to report. Still something, but the only thing it really tells us is when the government takes notice of this project. Unless they require that the group keep all the values at 0, even when they're not (since it's not illegal to lie about such things).

        reply to this | link to this | view in chronology ]

        • icon
          Ninja (profile), 3 Jul 2015 @ 9:39am

          Re: Re: Re: A better (tech) option

          This still doesn't provide a warrant canary: it just proves that the government has stepped in and has meddled with the organization's right to report.

          Paradox warning! That's exactly what a canary is designed for.

          reply to this | link to this | view in chronology ]

        • icon
          Village Idiot (profile), 3 Jul 2015 @ 12:25pm

          Re: Re: Re: A better (tech) option

          I think the point is that the government cannot come to them and require a change without first having a "legal" reason to do so, as in a gag order. A gag order really cannot be ordered on the basis of "we will probably require they let us spy on their future user base." So by doing this before launch, the government has no grounds to issue any requirements of any kind.

          reply to this | link to this | view in chronology ]

      • icon
        Derek Kerton (profile), 3 Jul 2015 @ 11:40am

        Re: Re: A better (tech) option

        Yeah. The usual trick of requiring 0-999 basically gives the gov't 999 "free passes".

        reply to this | link to this | view in chronology ]

  • identicon
    HoleTurth, 3 Jul 2015 @ 12:25am

    Perhaps you are failing to see the government's sincere effort to improve efficiency and save cost for companies here.

    To further ease compliance for companies, they should just go ahead and create a single bracket: "zero or more". This would eliminate all the excessive cost associated with unnecessary reporting and save companies a zillion dollars. Moreover, it would help achieve full transparency on the topic.

    reply to this | link to this | view in chronology ]

  • icon
    Bamboo Harvester (profile), 3 Jul 2015 @ 5:50am

    sdrawcaB

    I think you may be looking at this backwards. It seems very similar to "reports" I used to send around the company whenever a new database was requested, with a memo to inform me of any changes required before I cast it in stone. Add/drop fields, add/drop columns, etc.

    And all the fields were filled with a single character - usually a zero, just to keep the formatting correct.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2015 @ 6:33am

    And that's how you do it. It would be nice if more companies offered such detailed transparency reports/warrant canaries.

    reply to this | link to this | view in chronology ]

  • identicon
    ValueBlue, 3 Jul 2015 @ 8:28am

    https

    "which will offer free HTTPS security certificates, making it much easier to encrypt the web. "

    What i am wondering if this is good or not. When everyone uses https will this lead to less secure https? Since it is worth more to make breaks? Like there were no viruses for mac...??

    Greets,
    Rob Veld
    ValueBlue

    reply to this | link to this | view in chronology ]

    • identicon
      Dave, 3 Jul 2015 @ 8:30am

      Re: https

      Thats a really good question.
      I am not sure about this, but this is worth studying.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 3 Jul 2015 @ 9:31am

        Re: Re: https

        Trust me; it's been studied in-depth already.

        TLS has a number of roles to play in network communications:
        1) encrypt data to protect it from sniffing in-transit
        2) authenticate data to verify it came from whom you expect
        3) sign data so you know you got only the data you were expecting

        Now here's how it breaks:
        1) man-in-the-middle servers that sign with an alternate certificate. This can be done on the client (SuperFish), at the network edge (many gateway prodcuts), or anywhere upstream that has access to a trusted certificate on the client.
        2) Yeah, this is broken at a number of levels, relating to item 1 -- there are many entities out there that can fake or phish the sender identity. Web of Trust helps a bit here, but the traditional methods (whitelist/blacklist) tend to fail, as the blacklists are improperly implemented in most places. How do you trust authenticity when most major governments have access to root certs?
        3) This is actually still pretty safe; TLS itself has withstood most cracking attempts, and as a result, you're likely to have received exactly what the sender sent. The only issue here is that you have no way to 100% verify that the sender was who you thought it was, unless you got the signing certificate directly from them via a separate channel, and know that nobody else has access to their root certificate.

        Aside from all this, verts generally work by exclusivity; the fewer organizations who have certificates, the more secure they are. If you remove the barriers to entry so that anyone can get a certificate, then that means that while a cert may be valid, it becomes more difficult to figure out if the person who owns the certificate is trustworthy in the first place.

        If certificates are free, than you can rest assured that some botnet is going to have all its nodes registering bogus certificates that it can rotate through, giving the CNs all sorts of names, from "Bankof America" to "Aqqle" to "Trusted Update Pty, LLC". Then you'll have tons of signed malware coming down an encrypted pipe with a "verified" host at the other end. And you'll have all your personal data going up another pipe, similarly encrypted.

        This doesn't make certificates bad, but they're not the panacea that many would believe -- they really only protect against casual sniffing and verify the data being transmitted between two (rightly) trusted points.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 3 Jul 2015 @ 10:03am

          Re: Re: Re: https

          they really only protect against casual sniffing

          And it is the casual sniffing of governments that these certificates are primarily aimed at. If use of encrypt everything means that the Governments of the world cannot keep up with the decrypting of Internet traffic in real time, then most people's privacy improves. I do not ask that the system is perfect, just strong enough to force governments to target who they spy on.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2015 @ 9:35am

    relevant precedent case law?

    What is the precedent case law that establishes that the government can't make a company lie in such a situation?

    Warrant canaries seam like a speculatory concept at best to me, maybe there's something I haven't heard of yet though.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jul 2015 @ 10:20am

      Re: relevant precedent case law?

      Perhaps a company that was ordered to lie would do it badly on purpose. If this text changes in anyway it is an indication that prevarication is going on. So when the 0s become zeros you know some one has intervened.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2015 @ 4:42pm

    @13
    That's a very succint explanation. Well done.

    I was just reading this earlier- should be of interest to any one who would like to make conscious choices about who they trust. somewhat complex stuff unfortuantly.
    https://blogs.fsfe.org/jens.lechtenboerger/2014/03/10/certificate-pinning-with-gnutls-i n-the-mess-of-ssltls/

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jul 2015 @ 11:18am

    Even if they are later required to do ranges, can they not just do a wink and a nod such as:
    0-249 = 0
    1-250 = 1
    2-251 = 2
    etc..

    Would that run afoul of anything?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.