In March 2024, Let’s Encrypt introduced a new project called Sunlight. This caught my attention for two reasons:
I’m a big fan of anything related to Certificate Transparency efforts.
I’m a big fan of Filippo Valsorda, the designer of Sunlight and a cryptography engineer whose work I deeply respect.
Certificate Transparency
For the uninitiated, certificate transparency is an initiative to create a publicly verifiable audit log of security certificates used by websites that use encryption technology (think encrypted connections on banking websites, e-commerce sites, and social media). While the underlying encryption technology for HTTPS connections is sound, the traditional trust model of issuing these certificates is fundamentally broken. Certificates for these encrypted connections are issued by a Certificate Authority (CA). Any domain name that wants a signed certificate for its encrypted connections must have the certificate signed by a CA for your web browser to consider this certificate to be legitimate. You can think of a CA as a notary service, a disinterested 3rd party who will vouch that you are who you say you are. But what happens if the CA goes rogue?
This is exactly what happened in 2011. A CA was compromised, and fraudulent certificates were issued. Actions like this fundamentally break the trust model built into CAs. This is where Certificate Transparency comes in. Participating organizations like Google, Amazon, Facebook, Let’s Encrypt, and others submit their requested certificates to the Certificate Transparency program database. This allows for out-of-band verification that a legitimate organization indeed requested the certificate. What’s great about the project is that all the data is free and open to the public. You can even run your own read replica of the entire dataset. However, the log history is very large; as of this writing, it has over 700 million entries in the database. Various organizations have tried to address this, but it is not trivial. Let’s Encrypt outlined their challenges in this 2022 article, and Cloudflare built a tool called Nimbus to address their needs at scale. This is where Sunlight steps in.
Sunlight
What’s unique about Sunlight is that it has been built to address scalability, ease of operation, and reduced cost. This makes running more infrastructure related to monitoring the certificate transparency project viable for more organizations and helps reduce the burden of operating large-scale monitoring services for groups like Let’s Encrypt. Another thing I like about the project is the thoughtful approach of the designer, Filippo Valsorda.
Filippo Valsorda
Filippo Valsorda has sorted out a way to focus on the work he truly loves while finding a way to sustain (and even thrive) maintaining core cryptographic projects used by billions of people. I highly recommend subscribing to his cryptography newsletter if you aren't already a subscriber. While at Cloudflare and then Google, he’d made a name for himself when it came to carefully and intentionally building core cryptographic tools in the go (programming language) ecosystem. He’s an alum of the Recurse Center (another excellent organization), and he exemplifies a career path that is a beautiful feedback loop of deep curiosity and amazing skill (his Reddit AMA from a few years ago is worth checking out).
Conclusion
I wanted to point out this project and its designer, and I hope you have gained a little more appreciation for the problem, the solution, and the folks involved. I love that Let’s Encrypt has worked with Filippo Valsorda to solve an interesting and important problem in the world. I find that what Filippo spends his time and attention on is also worth paying attention to. His work has a playfulness and joy of creation that I think we should all aspire to, and he’s made efforts to dedicate as much time as possible to solving what he finds as interesting problems. Imagine how much better the world would be if we spent a little more time diving deep into the work we love for its own sake and found our own way to contribute to improving things, even just a little.