RiseUp's Jabber/XMPP service and CA truly secure?

Tacosarabes wrote...
To whomever reads this: this doesn't really have anything to do with RiseUp per se (well, actually maybe, but keep reading); However, since I consider our network to comprise many encryption and privacy experts I wanted to get your professional opinion on something rather important for me and a group that I run.

How do you feel about using Let's Encrypt as a certificate authority? Not for RiseUp to use (because as I understand it, RU uses Comodo CA, based in the UK), but rather, just in general? Well, actually my interest in Let's Encrypt is for two reasons:

1. Providing SSL certificates to secure my websites

2. Vetting the true security of any website or technology that uses Let's Encrypt as a certificate authority. For example:

Let's Encrypt is the certificate authority for most public XMPP servers:

https://list.jabber.at/

However, I'm concerned about the sponsoring company (Internet Security Research Group); although it appears to have some good board members, it's based in the U.S. and it clearly says on their website, in their privacy policy:

https://letsencrypt.org/privacy/

that they are willing to divulge personal information to the government under subpoena order. According to them, their discretion to divulge practically anything is rather open-ended, quoting from the section "What We Share"... "We may also disclose account recovery information when we have a good faith belief it is necessary to prevent loss of life, personal injury, damage to property, or significant financial harm."


My particular interest in XMPP is for use with Jitsi, for running end-to-end encrypted conference calls for a group that I organize, but since I am the most technical person of the group, the others rely on and put their full faith in the technology that I recommend.

I can't have them trust me 100% that our telecommunication lines are secure, when in reality they could be infiltrated due to the potential danger of the certificate authority's jurisdiction. To me that is simply not acceptable. I patch all holes before there is even a leak.

So with that said, does Let's Encrypt have a potential leak? If so, do you know of any other certificate authorities (or should I just use RiseUp's XMPP/Jabber service? - https://riseup.net/en/chat) but does this service use the Comodo certificate authority just like RiseUp's website?)

Ultimately I'm looking for a XMPP server/service which uses a certificate authority that would NEVER under any circumstances divulge information to the government or "law enforcement" particularly in the U.S. (Note: I put "law enforcement" in quotes because we know very well that many times the so-called executive branches of government does whatever they want and end up violating more rights then they claim to protect.)

Thanks in advance for your time and expertise.
Upvote | 0
Flag for Review
Cyanolyca turcosa ecua4944
Urraca De Cuello Negro replied...
I replied this in another ticket, so i'm closing it.
Upvote | 0
Flag for Review