Integrate letsencrypt for whitelabel domains

[mpfau]

Automatic certificate retrieval via letsencrypt.

[RealDrGordonFreeman]

Let's Encrypt board members have links to the US security services. Let's Encrypt certificates are also being abused for phishing campaigns specifically focusing on mail clients and servers. It is not advisable to further involve Let's Encrypt in the operations of Tutamail. Tutamail should use a German/European Root Certification Authority.

More information posted to Reddit:

https://www.reddit.com/r/tutanota/comments/aejj8f/tutanotas_decision_to_use_an_american_ssl_provider/

[RealDrGordonFreeman]

StackExchange post about Let's Encrypt: https://security.stackexchange.com/a/201736/196572

One of the answers from the post:

• They could refuse to issue new certificates.

• They could be forced to give your personal data (registration email, list of linked domains to your ACME account, IPs of your server, ...) to US Authorities.

• They could be forced to give personal data (IPs, user-agent, ...) of the visitors of your website (using OCSP requests) to US Authorities. (OCSP staple can prevent that)

• They could prevent some of your visitors to reach your website by refusing to answer to OCSP requests (If their browser have an hard-fail for OCSP configured. And maybe they could send a "revoked" OCSP answer only to them). OCSP staple can prevent that too

And they do post (some) stats about these requests: ISRG Legal Transparency Reports

Other related links on https://community.letsencrypt.org:

Details on the two US Subpoenas received According to mcclatchydc.com Let’s Encrypt revoked and banned USAReally.com Certificates for US sanctioned countries Let’s Encrypt and U.S. laws

[charlag]

@RealDrGordonFreeman

• anyone can refuse to issue certificates
• we can use our own account for issuing certificates. Why do you need a certificate if you don't want anyone to know your IP adress?
• Check what Let's Encrypt says about OCSP:

  Implement OCSP Stapling

  Many browsers will fetch OCSP from Let’s Encrypt when they load your site. This is a performance and privacy problem. Ideally, connections to your site should not wait for a secondary connection to Let’s Encrypt. Also, OCSP requests tell Let’s Encrypt which sites people are visiting. We have a good privacy policy and do not record individually identifying details from OCSP requests, we’d rather not even receive the data in the first place. Additionally, we anticipate our bandwidth costs for serving OCSP every time a browser visits a Let’s Encrypt site for the first time will be a big part of our infrastructure expense.

  By turning on OCSP Stapling, you can improve the performance of your website, provide better privacy protections for your users, and help Let’s Encrypt efficiently serve as many people as possible.

https://letsencrypt.org/docs/integration-guide/

Anyway, this is not the right place for discussion and we strongly ask you to not continue discussion here but I still found this useful to provide this information for the future.

[RealDrGordonFreeman]

Okay, thank you. However, the Tutanota reddit forum has become a toxic place for discussion. It is also mostly filled with Americans. I am not the only person who has expressed this concern. Where else to discuss these issues? Is it possible to create a suitable discussion forum here on GitHub? I would have suggested creating a Tutanota site on StackExchange, but they only do Q & A.

[mpfau]

fixed with https://github.com/tutao/tutanota/commit/bacfb57234f74603ac2eb56733933dd46158eb5a

[mpfau]

wrong type is displayed for manual certificates. If you click on ok in this case, a new letsencrypt certificate is generated and stored.