We are aware of and respect the fact that people have differing opinions about gambling, but to the best of our knowledge there is no legal issue with Casino2k and/or its sponsorship of Let’s Encrypt. We greatly appreciate that Casino2k understands our mission and has decided to support us in a significant way.
As our community grows, it is a certainty that people will have differing opinions about various people and organizations who are a part of it. Expression of those opinions in a respectful manner is welcome. In this case we stand by our decision to welcome Casino2k into our community of supporters.
What exactly would you do, should this start to affect the trustworthiness of the Let’s Encrypt CA. I’m already hearing word from a friend on mywot.com that I should consider thinking twice about obtaining certificates here, due to the clickable link to the casino on the home page of Let’s Encrypt, and he also points out sponsor OVH is vulnerable to DROWN.
I think you might have some misunderstandings with regards to how TLS works. The security of a site using Let’s Encrypt isn’t in any way affected by vulnerabilities or “trustworthiness” of other sites using Let’s Encrypt or of a sponsor. Let’s Encrypt provides one service, and that’s binding cryptographic identities to domain names. Domain-validated certificates are not a means of judging the trustworthiness of a site, nor are CAs responsible for the quality of their client’s TLS configurations (although this is something that Let’s Encrypt helps with!)
Unfortunately this friend is quite good at digging up trustworthiness issues; he has been analyzing your sponsors in the past couple of days. What exactly should I say to my friend whose faith in this service is tarnished by the actions and inactions of your sponsors?
I flagged my first post of this thread yesterday, considering that this thread may be becoming a distraction.
Regarding OVH and DROWN, you may want to get in touch if at all possible.
Also, the active link to Casino2k is placed in a manner in which it isn’t just simply mixed-in to the other sponsors.
...that none of what he's found (or at least of what you've shared of what he's found) has even the slightest bearing on the Let's Encrypt service, perhaps? Why does he (apparently) believe otherwise? He's shown you that one sponsor is in what he apparently considers to be an unsavory (though legal) business, and that another doesn't have their security configuration nailed down (though neither ssllabs nor test.drownattack.com corroborate the claim that ovh.com is vulnerable). I can't imagine any way in which either of these would bear on the trustworthiness or reliability of a CA.
Why would you consider that it's LE's place to do so, even assuming OVH is vulnerable?
How so? Because it's on its own line? There are 33 major sponsors listed, in a table four columns wide. That's eight rows of four, and one on its own row at the bottom; that one is casino2k.com. Does LE have to randomize the table in order to satisfy you? Or dynamically change the table layout so that on single sponsor gets its own row?
I have to say that I understand both points of view; that people see no problem with accepting sponsor money from an online casino, but also that some see ethical issues in such sponsorships. Both are equally valid and thus, in the name of transparency, I think it would be good to clarify beforehand who LE does not want to be affiliated with.
That seems a bit unlikely, and a bit hyperbolic. I'm not sure how donating money to a non-profit constitutes possible IP violations.
That's not quite true either. The site has been flagged as not safe for children (because gambling) and the comments actually say there are no issues with malware.
Again, having a self signed certificate doesn't mean it's not "proper". It gets a "B" on SSL Labs test if "trust issues are ignored". That's actually what I used to get before I switched to Let's Encrypt.
Uhh, the more you try to defend your position, the weaker you make it sound. "A friend says", "oh, the casino isn't malicious but some other site was", "I'm hearing word". I'm really sorry, but this is all hyperbole and hearsay.
We get it, you don't like gambling, but what you're advocating is just as silly as a breast cancer research charity rejecting donations from a porn site (that actually happened). Unsupported claims of IP violations, malicious sites, and improper certs make it look like your trying to justify an existing opinion.
"Get some perspective" or perhaps "That's fine, go pay for a cert from a morally acceptable source".
Should no american vote republican simply because they're also supported by hate groups such as the KKK and the Westboro Baptist Church? I think your "friend" should be more concerned by the actual actions of Let's Encrypt, rather than some "faith" he has in perceived wrongs of unrelated sponsors.
The Observer actually reports that it was directly because of people like BFeely. "Charities must carefully manage their reputations, which is why it only takes a whiff of scandal for them to turn down money."
I'm very glad Let's Encrypt isn't quite so precious.
I think Josh provided a good description of Let’s Encrypts decision process with regards to sponsors and I don’t think there’s much else to say about this.
I’m closing the thread because this doesn’t seem to be going anywhere.