Before Let’s Encrypt was made available to savvy Internet users, obtaining a certificate for https meant spending a fair amount of money through trusted CA (Certificate Authorities) to gain the ability to encrypt traffic for one’s website. Let’s Encrypt has completely changed the game: Not only have they made access to a certificate free, they have also made sure both the installation process and the ability to update one’s certificate is as simple as possible. This means website owners can offer the benefits of https to their site visitors, without the need to spend extra cash in doing so. Meaning that the traffic going to any website using Let’s Encrypt is protected (at least in theory).
However, users of the free service by Let’s Encrypt CA recently received an email from China’s WoSign CA, threatening users that “If oversea CA faces influences from international political risks and revoke certificates of certain important institutions in China, their system will be in a complete paralysis and affect users’ experience.”
The email continues, “Using oversea CA, users’ traffic data will be sent to and recorded by oversea servers. Information such as when you visit a website, where you visit a website, your IP address, what web browsers you are using, and how many times you visit on a daily basis will be collected by oversea CA. This will result in a loss of commercial and secret data, which can be very dangerous to users.” Last but not least, the email warns that overseas companies, who based their servers outside of China, will lower users’ Internet speed and might lead to significant delay, if not more serious matters, if their submarine optical fiber cable is damaged.
While WoSign CA claims to be a private-owned company, a news report in 2014 revealed that most Chinese CA companies are connected to the government. Mr. Gaohua Wang (aka Richard Wang), CEO and CTO of WoSign CA, was once the chief engineer of the Information Network Centre of Shenzhen municipality, a city in southern China.
If you’re worried about your own security, get yourself a VPN.