←back to thread

F-Droid site certificate expired

(gitlab.com)
155 points kxxt | 3 comments | 31 Aug 25 12:16 UTC | HN request time: 0s | source
Show context
gethly ◴[31 Aug 25 14:32 UTC] No.45083427[source]
Because those ephemeral LE certificates are such a great idea...
replies(6): >>45083455 #>>45083516 #>>45083798 #>>45083991 #>>45084464 #>>45088393 #
shaky-carrousel ◴[31 Aug 25 14:43 UTC] No.45083516[source]
It is, if your objective is to closely centralize the web. If you make https mandatory, via scare tactics, only people with certificates will have websites. If you make ephemeral certificates mandatory by taking advantage of a monopoly, then only big SSL providers who can afford it will survive.

Then, when you have only two or three big SSL providers, it's way easier to shut someone off by denying them a certificate, and see their site vanish in mere weeks.

replies(6): >>45083645 #>>45083750 #>>45083879 #>>45084701 #>>45086962 #>>45090198 #
1. KetoManx64 ◴[31 Aug 25 14:56 UTC] No.45083645[source]
Great explanation and very apt for out time when we regularly hear of people being banned/debanked/jailed for their political views in western countries.
replies(2): >>45084760 #>>45086953 #
2. octoberfranklin ◴[31 Aug 25 17:00 UTC] No.45084760[source]
Yeah WebPKI is basically perfectly designed to facilitate deplatforming.
3. schoen ◴[31 Aug 25 20:49 UTC] No.45086953[source]
The web PKI is certainly a potential point of failure in online communications, but fortunately there is almost no history of certificate revocation over content disputes. The biggest targets have been domain name registrars and CDNs.

Let's Encrypt has emphasized that it doesn't have the resources to investigate content disputes (currently, it's issuing nearly 10 million certificates per day, with no human intervention for any of them) and that having to adjudicate who's entitled to have a certificate by non-automated criteria would throw the model of free-of-charge certificates into doubt.

Meanwhile, encrypting web traffic makes it harder for governments to know who is reading or saying what. (Not always impossible, just harder.) Without it, we could have phenomena like keyword searches over Internet traffic in order to instantly determine who's searching for or otherwise reading or writing specific terms!

I'm very aware that it's still easy to observe who visits a particular site (based on SNI, as someone else mentioned in this thread). But there's a chicken-and-egg problem for protecting that information, and encrypting the actual site traffic is at least the chicken, while the egg may be coming with ECH.

Overall, transit encryption is very good for free expression online, and people who want to undermine or limit online speech are much more likely to be trying to undermine encryption than to promote it.

The biggest thing that Let's Encrypt in particular does to mitigate the risk of being unable to serve particular subscribers is to ensure that ACME is an open protocol that can be implemented by different CAs, and that it's very easy for subscribers to switch CAs at any time for any reason. The certificate system is more centralized than many people involved with it would prefer, but at least it's avoiding vendor lock-in.