Certbot Not Able to Issue Certificate - Site marked as unsafe Google Safe Browsing


#1

My domain is: www.poslovne-usluge.com

Problem is:

How would you like to authenticate with the ACME CA?

1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)

el): 2 the appropriate number [1-2] then [enter] (press ‘c’ to cane
Obtaining a new certificate
An unexpected error occurred:
The client lacks sufficient authorization :: Error creating new authz :: “www.poslovne-usluge.com” was considered an unsafe domain by a third-party API

Somebody else held this domain for some time, we have got it back.

I am requesting you to unblock the domain, or to identify the third party API that is blocking it. Who is that?

Nothing in logs.

Letsencrypt shall be transparent


#2

Hi @rcdrun,

Your domain is being flagged as unsafe by Google Safe Browsing. You can see that here, with their test tool.

Their FAQ has some information that may help. It sounds like once you’ve solved the problems you can request a rescan through the webmaster tools:

How quickly do you take the site off the list once it’s been cleaned?

Webmasters who have cleaned their sites can request a malware review in Google Webmaster Tools or StopBadware.org. The site will be rescanned and is typically removed from the list within 24 hours if the scan is clean. We periodically check sites on our list to see if they are still infected.

Once the domain is clear from Google Safe Browsing’s perspective you shouldn’t have any issues creating a Let’s Encrypt certificate for the domain.

Hope that helps!


#3

What anti-social methods is let’s encrypt using?

That is pure harassment and wrong accusations.

Let’s Encrypt trust the Google, and Google wrongly accuses the domain to be “unsafe” without any evidence to it.

Let’s Encrypt shall review its policies and not trust Google for that matter.

Also the previous domain owner did not have just nothing “malicious” on the website. I was checking it and there was nothing.

It is unfounded and wrongful accusation.

Not suitable for ethical project such as Let’s Encrypt


#4

The FAQ I linked to covers the methods Google uses to determine if a site is malicious, and also what you can do if you disagree with their assessment.

You should contact Google through the Webmaster Tools dashboard to discuss your website & any erroneous results. We won’t be able to help you in this forum.


#5

If you authenticate ownership of the domain through Google’s Webmaster Tools, you’ll get detailed information on why your site has been marked as “unsafe” including specific evidence with URLs.


#6

The site in question was never malicious. It was reported by Google as malicious. Those are 2 different statements, express yourself precisely.

I remember why it was reported as malicious, it was possible to use the browser to simply report it, without any evidences. One person who was receiving emails from the site, was jealous on one of the services, and claimed to block it, so he did it. They organized, clicked few times, reporte it as such, and since then it was the case I remembered this today.

Google did not have just any evidence for blocking the website.

By the way, why is the user forced to open Google account, to receive the service from Letsencrypt? It should not be so.

And Letsencrypt shall not have the policy of accusation without evidence.

Blind belief to Google? LOL.

I have over here 68 reports of spam, harassment, scam and phishing, that was sent to Google, and for multiple and repeated Google Mail users, and Google does not act on it. And now I see this important organization blindly believes to Google.

If this Letsencrypt organization is transparent, may I see the contract that Letsencrypt and Google has signed?

What is the exact business relation between Letsencrypt and Google?


#7

@matoko:

Thank you for helping. Yet it is not true.

FIrst, Letsencrypt basically forced me to open up Google account, I find it discussing and also unpleasantly surprising that Letsencrypt relies on Google.

I remembered that this happened even before 2 years or longer, when I had control over website. In the mean time, somebody else had control, and Google never unblocked the website automatically. That means Google accepts false reports by users, blocks the website, and does not take any measures to re-verify it until the webmaster is opening Google account.

The world is not Google, and we have good business also without Google account and their nasty and controlling services.

It is wrongful accusation by Google. Alright.

But why is Letsencrypt participating in such?

Letsencrypt neither Google obviously do not use the principle of evidence to accuse a party.

Are we back in the middle ages?


#8

As far as I am aware, you can report a problem, but it will be verified before you are placed on the safebrowsing list.

Most users won’t need to because there aren’t any issues with their site. It’s certainly not a requirement to use Let’s Encrypt.

There probably isn’t a formal contract. Google has a public SafeBrowsing API that can be used.

Let’s Encrypt doesn’t want to issue certificates for hacked and marked phishing domains. At the least, they have a bit of a need to ensure some level of checking. There aren’t a lot of ways to do this. You could use Google’s SafeBrowsing data or a similar service, like the one that is offered by Yandex. SafeBrowsing is generally considered high quality and quick, so it’s a good fit. The only other method is to have real humans review each request, which eliminates the focus of Let’s Encrypt on offering automated and free certificates. Alternately, you could just not offer any kind of quality control, which would likely get you removed from browser trust stores quickly, killing the service.

If it’s wrongful, then it’s an easy fix. See the details of why Google has you on the SafeBrowsing list and protest that.

How do you know without looking at the details for why you’re on the list?

Either way, it looks to me like the domain isn’t on the list anymore, using the public Site Status tool. Maybe you can try to make the request again?

Also, if you’re that unhappy with Let’s Encrypt, there are several paid providers you could turn to for a certificate.


Malware test site: Considered an unsafe domain by a third-party API
#9

I have reviewed the Let’s Encrypt policies and did not see this connection and reliance on unreliable Google Safebrowsing Policies.

I have seen that Let’s Encrypt is keeping the list of blacklisted or malicious domains, however, there is no transparency to that list.

It says here:
https://letsencrypt.org/documents/isrg-cps-v2.0/

4.2.2 Approval or rejection of certificate applications

ISRG maintains a list of high-risk domains and blocks issuance of
certificates for those domains. Requests for removal from the high-risk
domains list will be considered, but will likely require further
documentation confirming control of the domain from the Applicant, or
other proof as deemed necessary by ISRG management.

And such list shall be transparent, visible, published.

The organization such as Let’s Encrypt shall be transparent in consistency with the other policies and principles.

There are numerous public references that websites can be wrongly marked as being malicious:
https://duckduckgo.com/html?q=wrongly+malicious+website&t=gnu

Accusing a website to be malicious may be a legal liability.

Thus when Google is wrongly accusing websites – and is not reliable, I do not see by which Let’s Encrypt policy shall Let’s Encrypt be liable for same wrongdoings that Google is conducting? I am asking, let me know where is that policy?

According to what I have read here:
https://letsencrypt.org/documents/isrg-cps-v2.0/

under section 1.4.2 Prohibited certificate uses

“Also, note that Certificates do not guarantee anything regarding
reputation, honesty, or the current state of endpoint security. A
Certificate only represents that the information contained in it was
verified as reasonably correct when the Certificate was issued.”

In that sense, if Let’s Encrypt is not guaranteeing the reputation of the end point security, it shall also not make attempts to guarantee the reputation security by accessing and consulting otherwise not reliable services such as Google Safebrowsing


#10

By the way Google Site Status said: they cannot isolate the code that was malicious and I am repeating that my website was not malicious, it was marked as such by users.

We wish to have ethical services and not corrupt services. If Google is corrupt, Let’s Encrypt need not follow the path.

Or is obliged to do so, due to donations?


#11

The situation Let’s Encrypt is facing is the following:

  • The Baseline Requirements, root store policies (browser/OS vendors) and user expectations based on how other CAs have been operating require that they do at least a minimal amount of work to block certificate issuance for malicious sites. Not doing so could lead to root programs distrusting Let’s Encrypt. Even with the Safe Browsing check in place, Let’s Encrypt is facing a lot of criticism for issuing certificates to phishing sites.
  • Maintaining such a service internally is not realistic and (even if we ignoring the cost issue) would either cause far more false positives than the currently solution or be not effective at all, increasing the risk of being distrusted.
  • Manual verification is out of the question for a free CA.

That leaves us with third-party options like Google’s Safe Browsing. While alternatives do exist, none of them are immune to false-positives, so there’s little reason to switch to one of those. Based on the amount of posts here that turn out to be related to this, the number of issues caused by this check is very low and in all cases I’ve seen so far, the domain owners were able to resolve the issue within a few days.

Let’s Encrypt has made their position on this topic clear and would probably be happy to remove the check once the rules change, but as they’re not the ones making the rules, that’s not up to them.


#12

It looks like you’re not willing to take time to investigate and verify everything is okay, so I really don’t think I’m going waste much more of my time on this topic. Just a few notes though for clarification:

That’s not linked to the SafeBrowsing and any other “malicious” checks, as far as I am aware. That particular policy is to block certificates for domains like “bankofamerica.gr”, “wellsfargo.in” or similar obvious high-risk domains for financial and large brands where real damage could be done. I think it’s been mentioned before on the forums that LE is considering making the list public, but there are some risks with doing so and it’s not high priority.

I’ve had that happen before, but it usually gives one or two pages where the detected problem exists. Perhaps you could spend a little time looking at the source code and seeing if there is a legitimate problem in them. If not, there’s a “review” link to request the removal of the site from the system if it is indeed clean.


#13

@pfg

Do not claim that our website was malicious. I am not against the policy to block malicious website. I am against the wrong accusations and relying on services which are clearly not reliable such as Google Safebrowsing or WOT.

That somebody makes criticism for issuing certificates to phishing sites is not related to the security of communication, it is SSL certificate and not certificate of trust, right? So, it should not make attempts to provide the trust.

It is not the SSL certificate committing the crime but criminal.

The law and judgment of which website is malicious or not – shall be left to the law, and courts.

In my opinion it is absolutely not necessary to check “what those people are communicating” by using SSL certificate. It shall be available to criminals equally, as it is not on Let’s Encrypt to judge who is who.

This what I am mentioning is more legal issue, so it shall be delegated to the attorneys of Let’s Encrypt. My viewpoint comes from the legal aspect.

The analogy is:
Should then the PGP key be issued only to people who are not criminals?


#14

@motoko

I remembered, that once our website in past got blocked, it was by the discover of malicious user, who was jealous, and who promised me to block the website. Then they got together and somehow reported it through browser, and it got blocked in Facebook, by using WOT and Google Safebrowsing. There was no download at all on the website, and there was absolutely no virus, or similar. Further, we use only free software any try to minimize Javascript or not use it at all. And 99.99% pages are static HTML.

Google did not give any information why is our website malicious, it was something like “The code could not be isolated” message in the Google console. So there was no proof or evidence that website was malicious.

Google was wrongly accusing us, which is legal issue.

Let’s Encrypt has wrongly accused us, based on Google, which is legal issue.

Instead of being the real ass and going into the court, I am bringing the issue over here. When a website is accused of being malicious, loss of sales may incur, “profit” loss, or damages and other issues that are usually brought to courts. Google Safebrowsing is already considered by some online testimonials to deserve the class action lawsuit.

Let’s Encrypt shall not rely on any third party service.

If the website is rejected for the issuance of the SSL, then the clear information and evidence shall be RECORDED, and kept for future until matter is solved.

I have got the message that website was reported by third party as being malicious, that third party was not identified by cert-bot and inside of the logs, there was no information why the website is malicious.

Once again, your assumption is wrong, incorrect, that Google is “right” and I am not right. There was never and absolutely no evidence within Google console that there was anything malicious. I do not have screenshots to prove.

It seems to me that Google just as WOT and other “watchdog” websites serve the only reason to advertise themselves and their own services.

Let’s Encrypt shall not rely on unreliable third party, to user not identified third party services. It shall be transparent in the process of obtaining or rejecting certificate. cert-bot did not inform me what happened, I found it on this forum.

Other similar incidents:

What if this happens? Is then all SSL issuance in risk?

https://www.en.advertisercommunity.com/t5/Marketing-Your-Business/Google-wrongly-says-website-has-dangerous-links/td-p/791840
https://productforums.google.com/forum/#!topic/chrome/r-9JQIboUmc


https://www.google.com/search?q=wrongly+marked+website+as+malicious&ie=utf-8&oe=utf-8&client=icecat-b#q=google+false+positive+malicious+website


#15

I did not claim that your site is malicious. I couldn’t say. I made multiple references to false positives being a possibility in any such system, including Safe Browsing.

The question is not whether you, Let’s Encrypt or I think that the availability of transport-level encryption should depend on the perceived trustworthiness of a site. I strongly dislike the idea of forcing CAs to be content watchdogs, and going by their blog post and other communication, Let’s Encrypt does too.

Unfortunately, none of that matters. It’s important to understand how the Web PKI works in this context. The CA/B Forum and the root programs get to make the rules, and as long as they have rules for phishing and malware sites, there’s little Let’s Encrypt can do as a CA, other than lobby for a policy change. I don’t think the root programs are breaking any laws by making those rules, but then again I’m not a lawyer.

This analogy does not fit because issuing a PGP key does not establish trust by itself, whereas a certificate issued by Let’s Encrypt is automatically trusted by all mainstream browsers. A more fitting analogy would be a self-signed certificate.


#16

@pfg

Sure, thank you for the comment.

Let’s keep in mind too, that Let’s Encrypt is pretty new and that none of the commercial SSL issuance services which verified only the domain, stopped issuing the SSL service because the website was marked by “third party” (unidentified) as being malicious. Not that I know it.


#17

Other CAs might not necessarily use Google’s Safe Browsing (though I would imagine some do), but it’s unlikely that there are CAs out there that don’t at least use a similar internal or third-party service, unless their issuance process includes manual vetting. Many commercial CAs offer other security products and could operate something like that internally. As we probably all know from the monthly “$AV_VENDOR bricked hundreds of PCs” news reports, they’re just as prone to false-positives.


#18

Just looked up www.poslovne-usluge.com in Google Safe Browsing’s Site status page (see https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en#url=www.poslovne-usluge.com), and it shows “No unsafe content found”, and “This info was last updated on April 29, 2017”. Looks like they’ve changed their status for your site today, and you should be good to go.


#19

I’m going to assume that you’re not a native English speaker, because in English, you’d be way out of line in saying this (and many other similar statements you’ve made in this thread). You don’t get to dictate policy to Let’s Encrypt. You can advocate for what you think policy should be (though you really haven’t done this either, other than to repeatedly state that they “shall” do what you think they should do), but they’re a private CA and can run their affairs as they see fit–neither you, nor I, nor any of their other users really have a vote. There are plenty of other CAs out there if you don’t like their policies.


#20

@oloryn

Yes, thank you, that is because I had to make Google account and clear it. In that process, Google did not give any information why it was marked as malicious, so their wrongful accusation was not founded.