> Has letsencrypt been served with a subpoena?
While it's certainly possible that ISRG has been served a subpoena because it appears the US DOJ is now a mix of hacks and incompetent buffoons, it wouldn't matter because the whole point is that they don't know anything - what you told them is literally logged publicly for everybody to see without even knowing how to spell "subpoena" let alone issue one.
Some people have this insane idea that somehow the CA has some secret which either they minted and sent to the CA, or the CA minted and gave them a copy and so the US government could get this secret with a subpoena - but the whole fucking point of a Public Key Infrastructure is that we're using Public Key Encryption, if we were OK with everybody having secrets all over the place this entire thing wouldn't be needed.
They have the secret of the private keys used to sign certificates.
Looking at LavaBit^1 I really would not be so comfortable. The world and especially the US has not gotten more free since then.
[1]https://en.wikipedia.org/wiki/Lavabit
They could mint certificates, for / about any name. But, those certificates won't work in popular applications unless the certificates include proof of logging.
So to be effective this means a hypothetical bad actor (maybe the US government or anybody else) issues bogus certificates, then either logs them - making a permanent record for everybody to see, or also subverts two or more logs, so that they issue bogus proofs.
This is a very expensive one shot attack on whatever the target would be, I guess it's not stupider than "Let's bomb Iran for no good reason" but it's up there.
For the vast majority of cases, would anyone notice these malicious certificates being created and logged?
I don't subscribe for my personal domains, because who cares, but when I was in charge of certificates for something important I subscribed to notifications from several providers to make sure I didn't miss anything.
I would like to think at least all the high profile destinations have someone watching.
What constitutes the "vast majority" ? Periodically I check mine, and I sometimes have reason to check others, I no longer run my own log auditing (I did when I worked somewhere else because it was close to my main field of interest) but other people do.
How can you check other people's certs? How do you know whether a cert issued is authorized by them or not?
The only one who can check for maliciously published certs is the entity authorized to request them. I think most companies are happy when they manage to have valid, not expired certs and do not care too much about making sure there are not too many of them.
You are right that if the state would start issuing malicious certs en mass that would be found out quickly. But I think very targeted selected operations against entities where they know the entity is unlikely to surveil for unauthorized certs are very much possible.
I'm not arguing for going into conspiratorial thinking and claiming CAs are all compromised and issuing malicious certs all the time. But I do think that it is feasible for states to use CAs under their direct or indirect control to run targeted attacks. I think that is a plausible, serious risk that we do not care enough about and that we should do something about. There is a multitude of precedence starting from LavaBit over the wiretapping of jabber.ru^1, ANOM^2 to CryptoAG^3 that supports this conclusion.
[1]https://notes.valdikss.org.ru/jabber.ru-mitm/ [2]https://en.wikipedia.org/wiki/Operation_Trojan_Shield [3]https://en.wikipedia.org/wiki/Crypto_AG
If there's a competent admin or it's just entirely autopilot for some huge generic host you'll see a very boring pattern where there's a cert and then as it gets close to expiring a new cert is issued, e.g. 4-5 days before it expires, or on a Tuesday at about 8am, or whatever - and sure enough you'll see the same pattern in the cert presented when you access their web site.
In these cases it's really obvious if there's anything weird going on. You're correct that we can't know, as a third party why there's something weird. Maybe the server was being replaced and the new server just installed an ACME client and got itself a new cert last Tuesday even though the previous one doesn't expire for weeks. But if there was nothing we don't even need to ask anybody what's up - nothing is.
IMNSHO The statistics don't really work for targeted attacks. The odds you'll get away with it are unknowable and you only have to get unlucky once.
> How can you check other people's certs?
There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.
For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
For any target of sufficient value that a government would do that, yes. Of course it doesn't happen anyway, because governments don't have some kind of secret access to CAs.
> Some people have this insane idea that somehow the CA has some secret which either they minted and sent to the CA, or the CA minted and gave them a copy and so the US government could get this secret with a subpoena
LetsEncrypt certainly doesn't, but I've seen certificate storefronts that generate the key on their side and provide you the key and the certificate, so you don't have to figure out how to generate a key.
The Certificate Authorities are specifically forbidden from doing this because it's so obviously a terrible idea. Many of them also require that their resellers (obviously Let's Encrypt basically doesn't have resellers because that's stupid) also do not do this because it's a terrible idea.
But yes, you're correct that, especially when "cheap SSL" was a thing, outfits which did this really existed. In fact one of the companies which did this, and then deliberately revealed customer keys, resulting in all the affected certificates being revoked, isn't even bankrupt so apparently their customers are so stupid than they're still paying money for a service that's much worse than useless. Not an optimistic thought about humanity.