> having a significant portion of the world's TLS be under one umbrella isn't a good thing.
Why is that? The damage from a CA being hacked is not proportional to the size of the CA - they are all equally (small number of exceptions notwithstanding) capable of issuing certificates for any domain which will be trusted by all major browsers.
Is there another aspect I'm not considering? While I see how it feels like a troubling thing, I'm struggling to actually come up with any real consequences of it.
It's been awhile since I had to deal with ocsp breakage, but if it breaks due to an ocsp server down, doesn't that mean the browser or web server is misconfigured? Of course, if browsers are misconfigured out of the box, that doesn't help at all...
It wasn't as simple as the ocsp server being down. It was returning bad request (http 400) responses. When the good responses expired from caches, the bad responses started going out and breakage started spreading. LE detailed this in their postmortem which I linked.
Punishing CAs for bad behavior (ie Security Problems) has more collateral damage the bigger a CA is. Right now, if a CA is bad enough browsers just stop accepting their certificates. After a certain size that becomes unfeasible, removing a lot of pressure from that CA
No, browsers don't do that. See how WoSign was distrusted[0]. Basically, they still trusted existing certificates, but stopped trusting new certs (both renewed or brand new). Through this, they kept collateral damage to a minimum, while carrying the CA death sentence.
The trouble is that's only possible with the CA's cooperation, because they have the ability to backdate the certificates by falsifying the date. In the case of WoSign Mozilla threatened to distrust them completely if they did that, but if it's unfeasible to remove a CA that threat may be ineffectual.
This kind of forgery can be mitigated by requiring all certificates to be published to a Certificate Transparency server upon issuance. You can't backdate a public ledger that is being watched by third parties.
The pressure will come from the public. If they damage their reputation, people will be less willing to donate, which will pretty directly influence their income stream.
Assuming Facebook's numbers represent two-thirds of all web users then I'm saying I'd be surprised if LetsEncrypt have more than 30,000 donors.
If we're quibbling about "the public" then the GP comments only make sense if "the public" means "people who aren't IT professionals", in which case I'd warrant that there are far fewer donors than 30k who aren't IT professionals, indeed it's got to be ~0.
Can't see donor details on the LE pages though? Mind you at approx.av.300k certs issued daily (https://letsencrypt.org/stats/) I concede I could easily be orders of magnitude out in my guesswork.
It's not just about access to their private key, but also downtime (expected or otherwise), and bugs in the cert verification process.
I don't know of anything concrete, but I can imagine an attack that can exploit the process of verification on their servers to have them sign domains they shouldn't, or DDoS attacks on them to prevent people from renewing their certificates. The bigger they are, the juicier of a target they are for these kinds of things. if they were a provider of 50% of the internet's TLS certificates, you could take down half the internet by continually DDoSing a single company!
Hell I can already imagine someone sending a bunch of signing requests spoofed as someone else, locking that person out of renewing due to rate limiting.
Not to mention that even the country they operate in can be a big deal.
Let's Encrypt strongly encourages you to use a tool that does automatic renewal a month before the cert expires. If someone manages to DDoS Let's Encrypt for an entire month, I think we're firmly into "you have bigger problems" territory. (Among other things, if 50% of the internet were in fact on LE, major internet providers like CloudFlare and Akamai and Google would start offering to run LE directly on their own infrastructure after a week or so of this.)
Bugs in the cert verification process are the same amount of risk regardless of whether everyone is using the CA or nobody is, as long as the CA is trusted. There's nothing gained by putting your eggs in multiple baskets.
Also, these all seem like hypotheticals when the old-school CAs have had OCSP downtime, bugs in the cert verification process, incompetent staff signing and publicly logging google.com certs to test their infrastructure, governments asking and receiving unconstrained intermediates, unconstrained intermediates as a publicly advertised product, etc.
You're right but size doesn't really factor in any of your points.
Assume for instance that the country of Hackeristan manages to have one of its authorities accepted in major web browsers. This authority is only meant to sign Hackeristan domains and only signs a tiny amount of certificates.
Now let's imagine that this authority is compromised, maybe the Hackeristan government wants to intercept connections to gmail, maybe the authority is vulnerable to hackers. One way or an other, it signs a bogus *.google.com certificate. Well it's game over, since the authority is trusted by all major browsers everybody's vulnerable, even though it was a tiny CA. Only certificate pinning can save you now.
Yes, but if LE was the only major CA, then if you could attack "Company A" by impersonating them and making lots of signing requests causing them to hit rate limits you could take "Company A" offline.
If LE was found to be incompetent and lost control of their private key, browsers would be much less willing to remove them as trusted if they were a significant portion of the web.
And things like the impact of DDoSing LE to take their OCSP servers down and things like that still grow with their size.
To clarify, I love LE and I use them almost exclusively. But I'd feel better if there were others trying to follow in their footsteps.
The parent makes the point that it's not necessarily the case since hacking any trusted CA (no matter the size) lets you generate certificates for anything. If letsencrypt was hacked today it could be used to generate a valid google.com certificate for instance, even though Google's certificate is normally issued by their own authority.
It's a weakness of the current authority architecture really, trusting a CA is an all or nothing decision. If any of the authorities is compromised you're vulnerable until you remove the CA from your browser, regardless of the number of legit certificates it issued.
Why is that? The damage from a CA being hacked is not proportional to the size of the CA - they are all equally (small number of exceptions notwithstanding) capable of issuing certificates for any domain which will be trusted by all major browsers.
Is there another aspect I'm not considering? While I see how it feels like a troubling thing, I'm struggling to actually come up with any real consequences of it.