No.
And as I said, it's about individual responsibility. I don't want anybody to filter what I can see. I want to choose my filters.
Don't interfere with infrastructure-level services.
3 Likes
There's a big difference between censoring content and blocking malicious websites.
No, there isn't. It's a very small difference.
It needs surgical precision and the border is not the same for everyone.
3 Likes
Is there really? If you include only phishing sites in your category of "malicious websites," maybe, but even then, I expect there will be cases where it's unclear. But would that be all? What about a "malware" site? What if the "malware" is a keygen or crack that functions exactly as described and doesn't harm anything on the user's computer? And what about other content-based matters? Because others have demanded that LE refuse to issue, or even revoke, any certs for Russian users/companies/government (depending on the particular demand; several folks have made such demands here) due to their actions in Ukraine. Yet others have demanded that LE revoke a site's cert based on that site's alleged "discrimination." Another user, based on "hate speech," which that user seemed to think is a crime (it isn't, at least not in the United States where LE is based).
These aren't random hypotheticals; they're real requests that have been made on this very forum. And they all, just like your demand, depend on the same fundamental misunderstanding of what a CA is supposed to do. The CA certifies only that you're communicating privately with the entity whose identification is on the cert. It has never certified anything else. It can never certify anything else. If you, or your users, or other random users that you're concerned about, have misunderstood what that cert means, I'm sorry, but the problem is with you/them.
5 Likes
There is a simple answer to those questions. Follow the same rules that hosting providers and registrars follow.
Obviously phishing and malware sites are not legal. Keygens or cracks, in most cases, aren't legal but you can go to Tor for crap like that.
It would be up to LE to define their policy.
And what rules are those? Where are they published, and what binding effect do they have?
There are some limited general rules on registrars enforced by ICANN. There are none whatsoever for hosting providers--each provider is free to make its own policy, consistent with the laws of the location(s) in which it operates.
They have. You don't like it. That's your call, I guess, but "BradR doesn't like it" isn't a reason for LE to change its policy, no matter how dumb you think that policy is.
4 Likes
Of course, but you must know that Let's Encrypt's origins are in Mozilla, EFF, and the University of Michigan.
I don't know about the University of Michigan, but I believe if you start talking about content filtering at Mozilla or the EFF you'll be laughed out of the room. There are good reasons why it's like that.
2 Likes
This thread has fully covered pretty much every point and argument, so I'm closing it. Thanks for your input, everyone.
This blog post covers ISRG's position on these issues. Speaking personally and not necessarily on behalf of ISRG, I think many of the points on both "sides" of the argument are valid; these are definitely issues where reasonable people can disagree.
One small practical point that I don't think has been covered yet (again, speaking personally): A weakness of trying to use threat intelligence feeds for CAs is that malicious actors will typically get their certificates right away, before anyone has any indication that a new domain may be malicious. Once a domain has reached the threat intel feeds, it's already way too late to prevent issuance. Revocation would be the only option, and a false positive revocation has more potential for severe impact than a false positive refusal to issue.
9 Likes