Makes sense. I assume each of them is in control and at the whims of US president?

It seems that currently most free CAs have a big presence in the US, and employ quite a few US employees.

ZeroSSL/HID Global seems to be quite multi-national though, and it’s owned by a Swedish company (Assa Abloy).

I don’t know what what kind of mitigations these orgs have in place if the shit really hits the fan in the US. It’s an interesting question for sure.

Fundamentally, Microsoft, Google and Apple are all run by American citizens living in America. Firefox is pretty much the same.

The US has strong institutions which prevent the President or Government at large controlling these on a whim. If those institutions fail then they could all push out an update which removes all "top of chain" trusted certificate authorities other than ones approved by the US government.

In that situation the internet is basically finished as it stands now, and the OSes would be non-trustworthy anyway.

Fixing the SSL problems is the easy part, the free world would push its own root certificate out -- which people would have to manually install from a trusted source, but that's nothing compared to the real problem.

Sure, Ubuntu, Suse etc aren't based in the US, but the number of phones without a US based OS is basically zero, you'd have to start from scratch with a forked version of android which likely has NSA approved backdoors in it anyway. Non-linux based machines would also need to be wiped.

They are not in control of the US president.

I'm pretty sure that the .org TLD can be shut off by the US at any point in time.

That’s not relevant though. These CAs will gladly give you a .se/.dk/.in/whatever cert as long as validation passes.

I hope so, but can we really be sure that .se or .de would still work in such a scenario? Is the TLD root management really split up vertically or is the (presumably US-based) TLD parent organization also the final authority for every country TLD?

It would be nice to at least have a very high level contingency plan because in worst case I won't be able to google it.

Lets Encrypt do not control the US president.

You could argue that The Don in charge of the US is in control of letsencrypt

Yeah, it's a bit far fetched but after Cloudflare CEO basically threatening to cut off Italy I was wondering what would happen if US really invades Greenland.

A simple windows to linux migration is not enough. If certificates expire without a way to refresh you'd either need to manually touch every machine to swap root certificates or have some of other contingency plan.