Blocking lets encrypt

Hello, i would like to block all websites that are using Let’s Encrypt issued certificates, but when i tried to find LE’s Certificate Authority it in mmc (win7) i didn’t find one! Should i block the head of hierarchy for LE? Web-browser won’t allow me to block LE (i deleted LE certificate from the trusted list, but yoru website still opens up)

I need full OS-wide block of certification, can someone help me out?)

I’m interested in the why of blocking sites with LE certs, personally.

3 Likes

Phishing and scamming pages massively using LE certificates to make their web page https://
Green lock in browser and user feels safe!! Also no notification from web browser about “risk page”

And LE made their certs free, so scammers dont have to pay for certificate each time they are blocked, and LE made certification automatic!

I demand enclosure of information on how to blacklist LE certs on os level

P.s im not tech-savvy, i know you do great work etc. but please show me the OFF button =)

Excuse me?

Note: I’m a volunteer and not associated with Let’s Encrypt.

In any case, perhaps this helps: https://letsencrypt.org/certificates/

3 Likes

I am not familiar with how the certificates will be represented in MMC, so I can’t provide a step-by-step. However, I can point out the TWO Root Certificates you would need to remove from your trust store. As @Osiris helpfully pointed out, these are documented on our “certificates” page.

  • Our “ISRG Root X1”
  • IdenTrust’s “DST Root CA X3” ( perhaps also called “TrustID X3 Root” )

The “certificates” page also has links to sites that we maintain so you can test your trust store changes. It would also be very helpful to the community if you returned to this post later to share your browsing experiences after removing trust.

Thank you and stay safe out there!

5 Likes

Thank you for information! I will provide feedback as soon as possible.

2 Likes

You will break your clients if you do that.

There are a lot of legitimate websites using Let’s Encrypt certificates, and you’ll break them as well. (You won’t block them, they’ll just have a cert from an unrecognized authority)

And please realize: most browsers don’t have green locks anymore.

2 Likes

Additionally, blocking IdenTrust’s root will also affect their other customers.

3 Likes

I’d guess around 30-40% of the sites I use have Let’s Encrypt certificates. And these are large sites, not small self hosted sites.

Distrusting the intermediary would render the internet nearly unusable for me, and likely many others.

My Personal Opinion and speculation below ----

I feel like this is a thinly veiled attempt at trying to manipulate ISRG to change their issuance policy and censor the internet. Hoping that someone at the organization takes offense at the idea of someone removing the certificates from their trust store personally or something.

Just because it seems so drastic, instead of relying on a service like google safebrowing.

3 Likes

Offtopic: or common sense :wink:

2 Likes

Also, if the user simply remove that certificates from trusted store without explicitly distrust it, that certificate will come back when the CA store updates.
P.S. This is my personal experience.

3 Likes

Im not an organisation, neither i am pushing any agenda. I dont have clients, i do not manage web server, i am user and i just dont want to be scammed while browsing. LE certificates are widely used in my country’s “ebay’s”, that means i have difficulties online shopping. Again, this fake payments websites with LE certs are used very wide. All i want is a switch to block loading any webpage that have LE certificate. Just for me :slight_smile:

P.s. if i add LE certification servers into hosts file, will it work?

1 Like

No, your browser won’t connect to the LE certification servers if you surf to a site using a LE certificate. Some browsers do make OCSP lookups to check if the certificate has been revoked or not, but as far as I know, when the browser can’t connect to the OCSP server, it won’t block access to the site (softfail).

Edit: Firefox seems to have a setting to change softfail to hardfail:

https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox#OCSP

By default, Firefox ignores the revocation check (i.e. soft-fails) if a valid response is not received from the OCSP server within 2 seconds (10 seconds for an EV certificate). Setting the security.ocsp.require preference to ‘1’ switches to hard fail and triggers a certificate validation error if an OCSP response is not received within 10 seconds.

I guess the loading of such a site would seem to take ages (2 seconds) before you’d be presented with an error.

3 Likes

I think if you really want to do that, you can distrust intermediate certificate in Windows MMC, so you’ll only block all Let’s Encrypt issued certificates.
But again, this is seriously disruptive for your browsing experience.
https://www.ssl.com/how-to/disable-a-root-certificate-in-windows-mmc/

1 Like

Blocking websites using Let’s Encrypt will not be much helpful than just blocking all internet. Half of Internet websites are using Let’s Encrypt certificates. If you see a green lock on a website, it only means that the connection is secure, it means that you are talking to the website that your url bar display. It doesn’t mean anything else.

If you don’t know the website, do not give them your credit card. Check the reputation of a website before doing so.

Also, use unique password (generated by your web browser or a password manager), do not reuse password.

3 Likes

Problem is not abstract like blocking whole internet, i dont need it. I only visit 4-5 websites (they are not certified by LE), and online shop and there many people use LE cert to make fake mirror websites. I am good enough to spot any of it, this is not the problem…it consumes immense amount of time to dig trough all the garbage fakes) While it should be easy thing to do - to block all LE certed pages…because they are free, they are automatic. Owners should pay for certs, so they would afraid to lose reputation and money in case of block…

Personally, I find it very hard to relate to this. Especially for someone claiming to visit just 4 to 5 sites. I have never come across “garbage fakes” when surfing normally. You want to shop at ebay? You go to ebay.com or ebay.whateveryourcountrycodeis. You want to shop at Amazon? You go to amazon.com or amazon.whateveryourcountrycodeis. It’s not that hard. Just look at the URI in the address bar. It should NOT look like https://www.ebay.com.something.else.entirely.com :confused: Everybody should know those basics.

Also, if you’re looking at the green lock to check if you’re visiting a “real” site or a “garbage fake”, you’re doing it wrong and you don’t understand the meaning of the lock.

I think you’re trying to fix a “problem” that doesn’t exist, sorry.

5 Likes

Yeah, no.

Reputation is meaningless to spammers. And changing IPs and hosting is just part of business.

3 Likes

Personally i think blocking LE certificates is a bad idea. Sure there are alot of scam sites out there but there are also millions of legit websites that also use LE. You would be better off learning how to identify and avoid scam sites rather than just blocking a considerable portion of the internet. There are lots of free browser extensions like adblock and disconnect that do a great job blocking scam sites.

P.S: if you get a weird feeling on a website check it’s url! scam sites often exploit fonts and swap out letters for look-alikes!

2 Likes