[not posted on emacs-devel, CC'ed on emacs-tangents, to respect Eli's request]
* Cecilio Pardo <da05cd2a-2548-43da-9b96-3e000a156...@imayhem.com> Wrote on Fri, 21 Mar 2025 14:16:41 +0100 > On 21/03/2025 10:10, Madhu wrote: >> * Daniel Colascione <330d5af9-da6d-4843-ad4c-63468187e...@dancol.org> : >> Wrote on Wed, 19 Mar 2025 21:28:29 -0400: >>> The rest of the Internet trusts Let's Encrypt. Building policy around >>> the idea that it's not trusted is like building food safety policy >>> around one weird cult's religious prohibition against eating >>> green-colored foods on Tuesdays. >> [Not emacs related but if you're using letsencrypt] >> xhamster uses let's encrypt and my ISP (BSNL India) can apparently do >> deep introspection on TLSv1.3 HTTPS connections (at an AIRTEL or Tata >> Communications National gateway) and display page with a redirect >> which >> logs the access to the URL, times, hosts, etc. of the attempted >> access. >> I assume it isnt xhamster or cloudflare which is giving the ability to >> deepinspect and block specific urls but some certificate issuer closer >> to letsencrypt. > May I ask for a source for this affirmation? I just reported what I observed (by chance; I'm not a regular consumer) on my ISP -- that the traffic (that traffic under guarantees of end to end TLSv1.3 encryption) was being inspected and blocked. > Let's encrypt is sponsored by the likes of Mozilla and the EFF, and is > a non-profit trying to promote privacy on the internet why making it > easy to have encryption. > > One thing is not trusting its certificates because they only offer > Domain Validation certificates, and another to say they act on bad > faith and/or are technically incompetent. How would you explain what I'm seeing? I didn't look into it deeply. letsencrypt is trusted in my /etc/ca-certificates. So the ISP (or ISP's immediate upstream) is presenting a certificate signed by letsencrypt and proxying the traffic while inspecting it? But I didn't see mismatched certificate warnings, just the blocked page with data of what is being blocked. (This was a few months ago, I haven't tried to access those domains since) --- via emacs-tangents mailing list (https://lists.gnu.org/mailman/listinfo/emacs-tangents)
