Comment by ekr____

15 hours ago

Can you elaborate a bit about what you mean by "the blessing of a CA"?

I agree that it's true that you need a certificate to do TLS, but importantly Let's Encrypt isn't interested in what you do with your certificate, just that you actually control the domain name. See: https://letsencrypt.org/2015/10/29/phishing-and-malware.html

4 comments

ekr____

Reply
greyface-  15 hours ago

Their policy today is to grant certificates liberally. There is no technical guarantee that this remains the case indefinitely, only a political one. I don't doubt the sincerity of this guarantee, but I wish I didn't have to rely on it.

  • crote  11 hours ago

    A big factor is that they are serving so many certs, with only a tiny amount of funding. Anything beyond the most basic pre-written list of blocked domain names is infeasible. Analyzing the content of every single domain would increase their resource needs by several orders of magnitude. That's reasonably close to a technical guarantee, if you ask me.

    • KronisLV  1 hour ago

      > That's reasonably close to a technical guarantee, if you ask me.

      Until the feds show up like:

        Okay, either you block these domains, or you're going to jail:
  politician-x-did-something-bad.com
  politician-y-is-corrupt.com
  country-z-did-crimes-against-humanity.com
  political-opposition-party-w-homepage.com
  blog-that-mentions-any-of-the-above.com
  ... (rest of the list that works for 10 or 100'000 domains)

      I complained about the centralization that reminds me of Cloudflare in another place, but in general the more distributed this sort of infra is, the better. Both for technical reasons, as well as political ones. In general, one can plan around potential risks like "Okay, what if I assume that this infra of mine is actually running in Russia and the govt hates me and I need to migrate."

      VPSes and domains are pretty easy to move across country borders (e.g. moving from NameCheap to INWX and from something like AWS to Hetzner, at least for simple setups), less so when you don't control the CA.