diff options
Diffstat (limited to 'notes/the-us-lock-of-the-web.md')
| -rw-r--r-- | notes/the-us-lock-of-the-web.md | 185 |
1 files changed, 185 insertions, 0 deletions
diff --git a/notes/the-us-lock-of-the-web.md b/notes/the-us-lock-of-the-web.md new file mode 100644 index 0000000..e6298e2 --- /dev/null +++ b/notes/the-us-lock-of-the-web.md @@ -0,0 +1,185 @@ +--- +pubDate = 2026-06-19T05:18:46 +tags = ['https', 'web', 'cryptography'] +lang = "en" +type = "note" + +[author] +name = "ache" +email = "ache@ache.one" + +[[alt_lang]] +lang = "fr" +url = "/notes/verrou-états-unien-du-web" +--- + +# The us lock of the Web + + +Let's talk about **Let's Encrypt**. + +Recently, if you haven't noticed, **Let's Encrypt**, the world's leading Certificate Authority, has added to its terms of use that [it applies U.S. sanctions](https://linuxiac.com/lets-encrypt-certificate-rules-now-include-u-s-sanctions-warranties/). +This isn't surprising, but it raises questions. +The application of U.S. law to critical web infrastructure constitutes a major geopolitical weapon. + +::::details +What is _Let's Encrypt_ ? + +**Let's Encrypt** is the most well-known web certificate authority in the world. + +Stemming from a collaborative effort by Mozilla and the Electronic Frontier Foundation, the most active non-profit organization defending digital rights, Let's Encrypt has truly contributed to installing the little HTTPS padlock icon in your navigation bar. + +:::attention +If you don't know what Let's Encrypt or a certificate authority is, then this blog post may not be entirely for you. Simply understand that we are talking about the padlock in your browser's address bar. +::: + +In order to democratize the use of HTTPS, Let's Encrypt revolutionized certification in two points: + +- _Free Of Charge._ Certification by Let's Encrypt is free, period. For competitors in 2014, a certificate cost VERY expensive. Even today, it is the factor that most actors choose **Let's Encrypt**. For information, a certificate costs €188/year at [GlobalSign]... for [a generic certificate] at sectigo. +- _Automation._ While retrieving a certificate in 2014 required a long verification process, payment, and then manual renewal, Let's Encrypt automates everything. This facilitates everyone's work and contributes to a safer web. + +:::: + +## Dependence on Let's Encrypt + +A year ago, [Stéphane Bortzmeyer] posted on Mastodon that 80% of certificates on the web came from **Let's Encrypt**. +Naturally, I wanted to verify this. +In particular, I wanted to check to what extent _I was, myself_, an average European, dependent on _Let's Encrypt_.[^ca_ache.one] + +[^ca_ache.one]: Just for information, all my certificates are issued by _Let's Encrypt_, including the one for this website. + +My first idea was to retrieve data from a [Certificate Transparency Log](https://letsencrypt.org/fr/docs/ct-logs/). +However, this does not translate my concrete dependency on **Let's Encrypt** and requires many resources. +A log the size of which is counted in tens of terabytes, I will therefore let them make their own statistics. +It turns out that Cloudflare has an existing dashboard regarding this: + +[](https://radar.cloudflare.com/explorer?dataSet=ct&groupBy=ca_owner&filters=uniqueEntries%253Dtrue) + +:::details +From Cloudflare's data: + +| | CA | Percentage of issued certificats | +| --: | :-------------------- | -------------------------------: | +| 1 | Let's Encrypt | 52% | +| 2 | Google Trust Services | 17% | +| 3 | Sertigo | 15% | +| 4 | GoDaddy | 6% | +| 5 | Amazon | 4% | +| 6 | DigiCert | 2.5% | +| 7 | Microsoft | 1.4% | +| 8 | SSL.com | 0.69 | + +If one includes multiple certificates, that is, several certificates for the same domain name, for example. +Then **Let's Encrypt** is slightly more productive proportionally, but this does not change the order of importance of each certificate authority (except GoDaddy). + +::: + +To analyze my personal reliance on Let's Encrypt, I rather opted for a web plugin to install in Firefox. +This analyzes all the sites that I visit and records the associated certificate authority upon the website’s first visit (within the current month). +I present [Cert Check] (https://addons.mozilla.org/fr/firefox/addon/cert-check/). + +I installed this extension last year on all my devices. +I can therefore be very precise regarding my concrete dependence on each certificate authority + +## Is there a monopole for Let's Encrypt? + +Yes, Let's Encrypt is indeed the most used certification authority by the sites that I visit. +But no, it is not 80% of the sites I visit and it remains less than Cloudflare's figures/numbers. + +Over the last month: + +| | CA | Percentage visited | +| --: | :-------------------- | -----------------: | +| 1 | Let's Encrypt | 46.098 | +| 2 | Google Trust Services | 32.40 | +| 3 | DigiCert | 7.58 | +| 4 | Amazon | 5.26 | +| 5 | GlobalSign | 2.93 | +| 6 | Sectigo | 2.93 | +| 7 | USERTrust | 1.34 | +| 8 | Go Daddy | 0.37 | +| 9 | Certigna | 0.37 | +| 10 | HARICA | 0.37 | +| 11 | SSL.com | 0.24 | +| 12 | SwissSign | 0.12 | + + + +However, if I take into account all the sites that Firefox has requested, not only those that I visited, it is Google which is the most prolific certificate authority. + +:::note +"Visited sites" are those that appeared in my navigation bar. +"Requested websites" are those where my browser made an HTTPS request, such as an image displayed on a webpage hosted by another site (which I did not visit directly). +::: + +For the last month: + +| | CA | Percentage loaded | +| --: | :-------------------- | ----------------: | +| 1 | Google Trust Services | 29.76 | +| 2 | Let's Encrypt | 28.97 | +| 3 | GlobalSign | 12.67 | +| 4 | Amazon | 11.36 | +| 5 | DigiCert | 8.43 | +| 6 | USERTrust | 3.82 | +| 7 | Sectigo | 2.07 | +| 8 | Go Daddy | 1.52 | +| 9 | HARICA | 0.42 | +| 10 | SSL.com | 0.26 | +| 11 | Buypass | 0.23 | +| 12 | Certigna | 0.19 | +| 13 | Certum | 0.07 | +| 14 | COMODO RSA | 0.06 | +| 15 | Deutsche Telekom | 0.06 | +| 16 | IdenTrust | 0.03 | +| 17 | Entrust | 0.02 | +| 18 | Actalis | 0.02 | +| 19 | SwissSign | 0.02 | +| 20 | emSign | 0.005 | + + + +Thus, approximately 46% of the sites I visit have a certificate issued by Let's Encrypt, and 30% of the certificates my browser has used are from Google. My concrete dependence on Google is astonishing, especially if we take into account that I do not use a Google account daily and that it is not even my default search engine! + +## A U.S. Dependence / An American Dependence + +Many actors were offended when _Let's Encrypt_ modified its terms of use, but few people denounced the American hegemony over the certification infrastructure. +What my small experience highlights is not only that _Let's Encrypt_ is the Achilles' heel of security on the Internet. + +It also means that the **United States signed more than 95% of the certificates of websites that I visited**. +The first non-U.S. issuer is [GlobalSign](https://en.wikipedia.org/wiki/GlobalSign) (Having its headquarters in Europe, but now more global than European) which signed 3% of the certificates; the second is [HARICA](https://harica.tbs-certificats.com/), a Greek public CA with 0.34%[^geomys]. + +Worse still, 100% of browsers are subject to US law, even if they don't enforce it until ow, and only two of the 8 [certificate transparency logs](https://certificate.transparency.dev/logs/) are European. +Only one is Asian! + +[^geomys]: + I did not know about [Geomys](https://geomys.org/). + It is a CT Logs created by [Filippo Valsorda](https://filippo.io/), an Italian cryptographer known in the free world. + + I classified it as European, but let's be honest, its funding is private and of US origin. + +The conclusion is clear: the United States has the capacity to subject all actors in the global web security infrastructure to its extraterritorial jurisdiction. +Certificate signing today is concentrated in the hands of a handful of actors whose legal, financial, and jurisdictional roots fall under the United States. + +:::attention +Here, I focused on certificate authorities, but too much infrastructure is dependent on US authority/U.S. regulatory power. +::: + +Even browsers (Chrome/Google, Firefox/Mozilla, Safari/Apple, and Edge/Microsoft) are subject to American law, which means that the master list of trust certificates is, in reality, a backdoor into our digital intimacy. + +This constitutes not only an operational risk but a structural flaw of sovereignty. + +It is a global effort that we must implement to regain a healthier ecosystem. +Not only in Europe. Asia is represented only by China, and the absence of any actor originating from Africa or Latin America is concerning. + +Our response should involves several concrete areas: + +- Diversifying root certification authorities and transparency logs. +- Raising awareness among non-US players - whether it's a German host or an Indian developer - about their dependence. + It is necessary to realize that supporting the most local infrastructure possible contributes to web resilience. +- Investing in the development of free web browsers, and more generally, in open source software. + The cost sharing provided by open source is the only coherent answer to US hegemony. + +**The Web remains a global common good**. +Its security must not become a lever of pressure dependent on electoral cycles or the trade tensions of Washington. +It is to all of us that the duty returns to rebalance this balance before digital confidence/trust is instrumentalized. |