They surely don't have any kind of access to letsencrypt root certs whatsoever

You can't decrypt anything with letsencrypt root certs, you can issue your own certificates but it would be impossible to use those at any significant scale.

It's also worth considering that CT makes it extremely noisy to use such certificates to attack web browsers.

▲

hollow-moe a day ago | parent [-]

I'd bet they could absolutely proxy large parts of people and make use of these certs. I wonder how much are CT logs scrutinized, would these "rogue" certs be found easily because we can't find traces of them being generated by letsencrypt ? Browsers checks CRLs but are they checking CT logs to be ensure the cert they're checking was logged ?

	▲	monerozcash a day ago \| parent [-]
		They couldn't do that at scale without being detected, no. There are various people actively looking for this, and the existing tooling makes it easy to detect. >Browsers checks CRLs but are they checking CT logs to be ensure the cert they're checking was logged ? Yes, all modern browsers require certificates to be in the CT logs in order for them to be accepted. For example, we can easily pull up logs for gmail.com and see which certificates browsers would accept. https://api.certspotter.com/v1/issuances?domain=gmail.com&ex...