Certbot Not Able to Issue Certificate - Site marked as unsafe Google Safe Browsing


#11

The situation Let’s Encrypt is facing is the following:

  • The Baseline Requirements, root store policies (browser/OS vendors) and user expectations based on how other CAs have been operating require that they do at least a minimal amount of work to block certificate issuance for malicious sites. Not doing so could lead to root programs distrusting Let’s Encrypt. Even with the Safe Browsing check in place, Let’s Encrypt is facing a lot of criticism for issuing certificates to phishing sites.
  • Maintaining such a service internally is not realistic and (even if we ignoring the cost issue) would either cause far more false positives than the currently solution or be not effective at all, increasing the risk of being distrusted.
  • Manual verification is out of the question for a free CA.

That leaves us with third-party options like Google’s Safe Browsing. While alternatives do exist, none of them are immune to false-positives, so there’s little reason to switch to one of those. Based on the amount of posts here that turn out to be related to this, the number of issues caused by this check is very low and in all cases I’ve seen so far, the domain owners were able to resolve the issue within a few days.

Let’s Encrypt has made their position on this topic clear and would probably be happy to remove the check once the rules change, but as they’re not the ones making the rules, that’s not up to them.


#12

It looks like you’re not willing to take time to investigate and verify everything is okay, so I really don’t think I’m going waste much more of my time on this topic. Just a few notes though for clarification:

That’s not linked to the SafeBrowsing and any other “malicious” checks, as far as I am aware. That particular policy is to block certificates for domains like “bankofamerica.gr”, “wellsfargo.in” or similar obvious high-risk domains for financial and large brands where real damage could be done. I think it’s been mentioned before on the forums that LE is considering making the list public, but there are some risks with doing so and it’s not high priority.

I’ve had that happen before, but it usually gives one or two pages where the detected problem exists. Perhaps you could spend a little time looking at the source code and seeing if there is a legitimate problem in them. If not, there’s a “review” link to request the removal of the site from the system if it is indeed clean.


#13

@pfg

Do not claim that our website was malicious. I am not against the policy to block malicious website. I am against the wrong accusations and relying on services which are clearly not reliable such as Google Safebrowsing or WOT.

That somebody makes criticism for issuing certificates to phishing sites is not related to the security of communication, it is SSL certificate and not certificate of trust, right? So, it should not make attempts to provide the trust.

It is not the SSL certificate committing the crime but criminal.

The law and judgment of which website is malicious or not – shall be left to the law, and courts.

In my opinion it is absolutely not necessary to check “what those people are communicating” by using SSL certificate. It shall be available to criminals equally, as it is not on Let’s Encrypt to judge who is who.

This what I am mentioning is more legal issue, so it shall be delegated to the attorneys of Let’s Encrypt. My viewpoint comes from the legal aspect.

The analogy is:
Should then the PGP key be issued only to people who are not criminals?


#14

@motoko

I remembered, that once our website in past got blocked, it was by the discover of malicious user, who was jealous, and who promised me to block the website. Then they got together and somehow reported it through browser, and it got blocked in Facebook, by using WOT and Google Safebrowsing. There was no download at all on the website, and there was absolutely no virus, or similar. Further, we use only free software any try to minimize Javascript or not use it at all. And 99.99% pages are static HTML.

Google did not give any information why is our website malicious, it was something like “The code could not be isolated” message in the Google console. So there was no proof or evidence that website was malicious.

Google was wrongly accusing us, which is legal issue.

Let’s Encrypt has wrongly accused us, based on Google, which is legal issue.

Instead of being the real ass and going into the court, I am bringing the issue over here. When a website is accused of being malicious, loss of sales may incur, “profit” loss, or damages and other issues that are usually brought to courts. Google Safebrowsing is already considered by some online testimonials to deserve the class action lawsuit.

Let’s Encrypt shall not rely on any third party service.

If the website is rejected for the issuance of the SSL, then the clear information and evidence shall be RECORDED, and kept for future until matter is solved.

I have got the message that website was reported by third party as being malicious, that third party was not identified by cert-bot and inside of the logs, there was no information why the website is malicious.

Once again, your assumption is wrong, incorrect, that Google is “right” and I am not right. There was never and absolutely no evidence within Google console that there was anything malicious. I do not have screenshots to prove.

It seems to me that Google just as WOT and other “watchdog” websites serve the only reason to advertise themselves and their own services.

Let’s Encrypt shall not rely on unreliable third party, to user not identified third party services. It shall be transparent in the process of obtaining or rejecting certificate. cert-bot did not inform me what happened, I found it on this forum.

Other similar incidents:

What if this happens? Is then all SSL issuance in risk?

https://www.en.advertisercommunity.com/t5/Marketing-Your-Business/Google-wrongly-says-website-has-dangerous-links/td-p/791840
https://productforums.google.com/forum/#!topic/chrome/r-9JQIboUmc


https://www.google.com/search?q=wrongly+marked+website+as+malicious&ie=utf-8&oe=utf-8&client=icecat-b#q=google+false+positive+malicious+website


#15

I did not claim that your site is malicious. I couldn’t say. I made multiple references to false positives being a possibility in any such system, including Safe Browsing.

The question is not whether you, Let’s Encrypt or I think that the availability of transport-level encryption should depend on the perceived trustworthiness of a site. I strongly dislike the idea of forcing CAs to be content watchdogs, and going by their blog post and other communication, Let’s Encrypt does too.

Unfortunately, none of that matters. It’s important to understand how the Web PKI works in this context. The CA/B Forum and the root programs get to make the rules, and as long as they have rules for phishing and malware sites, there’s little Let’s Encrypt can do as a CA, other than lobby for a policy change. I don’t think the root programs are breaking any laws by making those rules, but then again I’m not a lawyer.

This analogy does not fit because issuing a PGP key does not establish trust by itself, whereas a certificate issued by Let’s Encrypt is automatically trusted by all mainstream browsers. A more fitting analogy would be a self-signed certificate.


#16

@pfg

Sure, thank you for the comment.

Let’s keep in mind too, that Let’s Encrypt is pretty new and that none of the commercial SSL issuance services which verified only the domain, stopped issuing the SSL service because the website was marked by “third party” (unidentified) as being malicious. Not that I know it.


#17

Other CAs might not necessarily use Google’s Safe Browsing (though I would imagine some do), but it’s unlikely that there are CAs out there that don’t at least use a similar internal or third-party service, unless their issuance process includes manual vetting. Many commercial CAs offer other security products and could operate something like that internally. As we probably all know from the monthly “$AV_VENDOR bricked hundreds of PCs” news reports, they’re just as prone to false-positives.


#18

Just looked up www.poslovne-usluge.com in Google Safe Browsing’s Site status page (see https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en#url=www.poslovne-usluge.com), and it shows “No unsafe content found”, and “This info was last updated on April 29, 2017”. Looks like they’ve changed their status for your site today, and you should be good to go.


#19

I’m going to assume that you’re not a native English speaker, because in English, you’d be way out of line in saying this (and many other similar statements you’ve made in this thread). You don’t get to dictate policy to Let’s Encrypt. You can advocate for what you think policy should be (though you really haven’t done this either, other than to repeatedly state that they “shall” do what you think they should do), but they’re a private CA and can run their affairs as they see fit–neither you, nor I, nor any of their other users really have a vote. There are plenty of other CAs out there if you don’t like their policies.


#20

@oloryn

Yes, thank you, that is because I had to make Google account and clear it. In that process, Google did not give any information why it was marked as malicious, so their wrongful accusation was not founded.


#21

@danb35

It really does not matter what is my native language.

What the point is:

  • wrongful accusation by Let’s Encrypt, based on unreliable and inaccurate Google service.

Now, when somebody wrongfully accuse another person may become legally liable. That is why the civilized countries, like English speaking countries, do not put people in prison if there are no evidences. Ask your attorney to explain you what I mean. It is better to have person free, even if the one has committed the crime, than to wrongfully accuse the person. Society must have certain ethical and moral rules on how to judge people.

Google is not following such, so it is clear from my references that Google is marking websites as malicious without evidences. This also was clear to me when I entered Google console and where Google displayed that the malicious code “could not be isolated”. So their process and tagging websites is not transparent, and not in accordance with civilized societies.

It should be clear, that me, as user of this forum “cannot dictate policies of Let’s Encrypt” – certainly so, as otherwise I would already be modifying the policies, and simply publish it. That is dictating.

Google does not have this kind of dialog with their users. They are simply wrongfully accusing parties and go with it, they are large company, so who dares to sue Google?

What I am writing, and not dictating, is that Let’s Encrypt shall be transparent and not follow the wrongful accusation practice conducted by Google.

When website is wrongfully accused to be malicious, it looses orders, clients, money, business…

To be tagged malicious it may easily be considered by public to have illegal or criminal activity.

Such wrongful accusation are not in the level and kind to the Let’s Encrypt.

While it is easy to consider such websites, tagged by third party’s non-transparent process, just as yet another number and of “no importance”, the real people are behind it and families can be destroyed due to such accusations.

Let’s Encrypt need an attorney who is to stress what means Innocent Until Proven Guilty

Or is Let’s Encrypt to follow the path so that something as the following may happen?

There is good EFF article on what is online libel and defamation:


#22

Conveniently, I’m an attorney (in the U.S., whose law governs your dealings with LE), so I know a thing or two about legal liability. And no, there’s no legal liability if I, a private individual or company, privately accuse you of something, whether or not I’m right, and whether or not I have any decent reason to believe that it’s the truth. I can tell you, privately, that I think you’re a murderer, without any reason to believe that’s true, and there’s no legal liability created there. And to the extent that Let’s Encrypt is accusing you of anything, they’re doing so privately.

Secondly, Let’s Encrypt isn’t accusing you of anything. They aren’t saying, “your domain serves malicious content”; they’re saying (correctly) that Google has flagged your domain as serving malicious content. Truth is an absolute defense against a claim of defamation. So even if Let’s Encrypt were making that statement publicly, it would not expose them to liability.

Third, even if LE were publicly claiming that your site were malicious, that probably wouldn’t expose them to liability, as it probably wouldn’t be negligent of them to believe that Google was correct. This is a weaker point, though, and would need to go to a jury (the above two points wouldn’t get that far).

Fourth, the principle of “innocent until proven guilty” means that the government cannot punish you for a crime until they have proved your guilt, and the burden is on them to prove it. It doesn’t mean that a private entity can’t refuse to serve you for any, or no, reason (with a few exceptions that have nothing to do with guilt or innocence of anything). You don’t have a right to a trial and proof of your guilt before a business decides you’re too risky to do business with.

Fifth, your issue here is with Google. If there’s any affect on your orders, clients, money, business, etc., it results from Google listing your site as malicious, not from LE refusing to issue a cert because of that listing. People and companies sue Google all the time, sometimes even successfully. You may or may not have a case against them (ask your attorney if you want to pursue that), but that’s where your issue is.

I bolded the important part. When you say “shall”, you are dictating. You are stating what must be, as though you have authority to require it. That’s (part of) why I gave you the benefit of the doubt and assumed you weren’t a native English speaker, as that could explain your misuse of the word. If you’re trying to state your beliefs on what policy should be, “should” would be a more appropriate word to use.

Indeed there is. If you’d read it before posting, you wouldn’t have repeated the ridiculous assertion that Let’s Encrypt exposes themselves to any liability by refusing to issue a cert to sites who are listed by Google.

The fundamental issue is that users have been (wrongly) conditioned to associate the padlock with a trustworthy site. They shouldn’t do so; it doesn’t mean that, and never has. But nonetheless, they do. CAs can take a variety of approaches to try to deal with this; this is the method LE has chosen. They have a blog post on the subject here which explains their stance. I’m not sure I completely agree–I tend to think a CA should issue a cert to anyone who can demonstrate domain ownership–but their CA, their rules.


#23

try comodo, startssl, sslshopper

certificates are about $10 a year from paid CAs

LetsEncrypt was not accusing you of anything. It did not let you issue a certificate becaue you did not pass a check. This is well in line with teh subscriber agreement (which you had to agree to to use the service)

As @danb35 your issue has nothing to do with defamamtion.

LetsEncrypt did not publish the fact that your domain was on Google Safe Browsing list. In fact NO ONE would have been any wiser if you didn’t post it on this forum.

Andrei


#24

@dan35

As an attorney, then you should make distinction of integrity and ethics versus the laws. I know that attorneys in general do not mind of the first, the put stress on the second, the law.

I do not feel affected by Google neither the Let’s Encrypt, neither I write here any more from view point of the personal issue.

The issue is the issue of integrity and civilized standards established in the society such as United States, not to accuse anybody of wrong doings.

It is quite clear that ISRG may in its sole discretion refuse to grant the request for Let’s Encrypt certificate.

Yet that power to refuse the certificate shall not, in a civilized society, be at any time based on the wrongful accusation, regardless if such wrongful accusation has been published by giant corporation such as Google.com

So the subject is not any more my domain, rather the corruption of integrity from the ISRG part and effectively not being able to accurately estimate who is malicious and who not.


#25

@ahaw021

I understand that you don’t understand what I speak about. It is not any more issue of my own domain. I was surprised that ISRG and Let’s Encrypt rely on Google Safebrowsing. As I consider Let’s Encrypt a noble project for safer communication in the world.

And earlier in time I discovered that many of the online “watchdogs” such as Google Safebrowsing, the Firefox reports, Macafee, WOT, and similar, may be influenced by the anonymous members of the “community”, who may maliciously tag the website to be malicious.

There is no way that Let’s Encrypt may ensure that website is not malicious in future of the usage of the SSL certificate. That is also part of the Subscriber Agreement, that there are no liabilities for those using the SSL certificate on the part of the ISRG.

For this logical reason, that ISRG nor Let’s Encrypt shall have no liabilities in the future for the subscribers of the SSL certificates, there shall be no need to consult “third parties” and trust them blindly with the information that some website is malicious or not, as that ruins the noble character of Let’s Encrypt, and destroys the values of the society that shall not consider anyone malicious without evidences brought up in the courts of law.


#26

I was addressing the law because you repeatedly made the nonsensical claim that Let’s Encrypt was exposing themselves to legal liability in refusing to issue to domains who were listed on Google’s Safe Browsing list. That’s a legal issue, and has nothing to do with integrity or ethics, nor with your peculiar concept of “civilized standards”. But if you’re as concerned with integrity and ethics as you claim to be, you’d do well to avoid blanket statements that attorneys in general don’t care about those issues.

If you’re conceding that you were completely wrong on the legal question, and you’re now wanting to shift the question to more nebulous issues like integrity, ethics, and civilized standards, fine. In that case, as I see it, there are two key questions: (1) is it any of the CA’s business who’s getting the cert, as long as they can demonstrate domain control/ownership? (2) If it’s proper for the CA to refuse to issue to phishing/malware sites, what level of care should they use in making that determination?

On the first question, I tend to believe that a CA should issue (at least at the DV level, which is what we’re dealing with here) to anyone who can demonstrate domain ownership/control. I think the LE folks agree, conceptually, as they described in the blog post I already linked to. But they’re also aware that way too many users put way too much trust in that little padlock–look here for a recent thread with this exact problem. So, at least for the time being, they’re taking some effort to block phishing and malware sites. If you’d like to further discuss that policy decision, there’s an existing thread for that purpose here, and further discussion would probably better go there.

On the second question, if we accept that it’s at least acceptable for the CA to refuse to issue to phishing/malware sites, the remaining question is what they should do to identify such sites. Is it acceptable to rely on a generally-reliable third party, or must LE confirm each blacklisted site on their own? I believe it’s perfectly acceptable (“ethical”, if you prefer) to rely on a third party, if that third party is generally reliable in making that determination. “Generally reliable” doesn’t mean perfect. A fairly low rate of false positives, combined with an effective method for affected sites to contest their listing, would be necessary to consider the third party “generally reliable” in my view. And to the best of my knowledge, both of those conditions are true of Google’s Safe Browsing list.

You refer to “the values of the society that shall not consider anyone malicious without evidences brought up in the courts of law”, but there is no such value in this or any other society. And in this particular case, that would be entirely impractical. In the first place, it would be ridiculously expensive, as a separate court case would need to be filed for each domain proposed to be blacklisted. This takes an attorney’s time (which costs money), and (at a minimum) a filing fee with the court, which is typically hundreds of dollars for each case. You then need to figure out how to serve the opposing party. You’re looking at thousands of dollars before you even get to the point of a court hearing evidence. And that’s for each domain. In the second place, it would take several months, at a minimum, before a court would hear any evidence of anything.


#27

Well if there is no such value for you, there is for society. I have given enough references that any average educated person may verify.

I wish you good luck


#28

Nonsense. I don’t believe there is any society, worldwide, that has a widely-held value that nobody may be considered malicious without evidence first being heard in court–and despite your claim, you have provided no references at all to any such societies. I’ll readily admit that I’m not a sociologist, so I suppose it’s possible that I’m wrong and there is some such society, but even if there is, it isn’t the United States. There is such a value (indeed, a legal principle) that limits the government–it’s considered improper for the government to take adverse action against you without evidence, normally heard in court–but we aren’t dealing with the government. We’re dealing with a private organization.

Think for a moment about the implications of your claimed value. It would mean that no person could make any judgment of another, positive or negative, for any purpose, on any basis other than evidence heard in court. It’s preposterous, and completely unworkable–there aren’t enough courts to even begin to make all the judgments that would be required. And even you aren’t behaving in a way that’s consistent with it. After all, you’re judging Let’s Encrypt as lacking integrity, and there’s certainly been no evidence heard in court to that effect. And you’re (at least implicitly) judging me as less than “any average educated person”, despite at least two courts having heard evidence to the contrary.

Now, if you instead state the value as “do not consider anyone malicious without evidence”, I’d agree with you–we should not make judgments of others, and particularly in ways that affect those others, without evidence. But if that’s the value, then LE isn’t violating it–inclusion on Google’s list is evidence of nefarious history. It isn’t conclusive evidence, to be sure, but it is evidence.


#29

#30

I’ve closed this topic. The conversation isn’t especially constructive at this point and the original issue as well as the remediation steps available have been explained. Thanks all.