The headline is wrong and not very clever for such a project.
The project was able to get a CA to sign their keys, this is what happened. Using the word "trust" is simply wrong and might be interpreted as a too simple kind of propaganda after we learned a lot about the untrustable nature of a hierarchical certification infrastructure.
Another, even bigger trust-breaking elephant in the room is the fact that this project is USA based - as long as US government and agencies are insisting on practices we know from authoritarian and anti-democratic states like e.g. China or Saudi-Arabia there is no way any US based project can use the word "trust" for their product description - it might be recognized as a simple lie by informed people.
Questions to the project leaders:
* you must obey US laws and therefore offer MITM access to every Let's-Encrypt "trusted" network stream - why aren't you educating your users about this serious limitation of your product?
* why don't you rebase your project to a country where a government policy exists that is allowing companies to build trustable security based products?
There is no U.S. law that compels us to "offer MITM access to every Let's Encrypt trusted network stream".
TLS sessions are negotiated between TLS clients and servers. Their confidentiality is guaranteed by that negotiation and the certificate authority, if any, doesn't have the server's private key and can't read the server's TLS sessions.
What CAs have the power to do is misissue certificates. Using a CA's services generally does not increase your exposure to misissuance attacks by that CA. If Let's Encrypt misissues certificates, it could misissue them for sites that are not and never have been Let's Encrypt users, just as any other CA can issue certificates for any public Internet service.
As I've said elsewhere, Let's Encrypt wants to use, and encourage others to use, technologies that limit our power to do the wrong thing, including HPKP and Certificate Transparency. We want more limits on our power and other CAs' power, not fewer, that lead to misissuance events getting caught and attacks on TLS users failing.
The project was able to get a CA to sign their keys, this is what happened. Using the word "trust" is simply wrong and might be interpreted as a too simple kind of propaganda after we learned a lot about the untrustable nature of a hierarchical certification infrastructure.
Another, even bigger trust-breaking elephant in the room is the fact that this project is USA based - as long as US government and agencies are insisting on practices we know from authoritarian and anti-democratic states like e.g. China or Saudi-Arabia there is no way any US based project can use the word "trust" for their product description - it might be recognized as a simple lie by informed people.
Questions to the project leaders:
* you must obey US laws and therefore offer MITM access to every Let's-Encrypt "trusted" network stream - why aren't you educating your users about this serious limitation of your product?
* why don't you rebase your project to a country where a government policy exists that is allowing companies to build trustable security based products?