Certbot Not Able to Issue Certificate - Site marked as unsafe Google Safe Browsing

@danb35

It really does not matter what is my native language.

What the point is:

• wrongful accusation by Let’s Encrypt, based on unreliable and inaccurate Google service.

Now, when somebody wrongfully accuse another person may become legally liable. That is why the civilized countries, like English speaking countries, do not put people in prison if there are no evidences. Ask your attorney to explain you what I mean. It is better to have person free, even if the one has committed the crime, than to wrongfully accuse the person. Society must have certain ethical and moral rules on how to judge people.

Google is not following such, so it is clear from my references that Google is marking websites as malicious without evidences. This also was clear to me when I entered Google console and where Google displayed that the malicious code “could not be isolated”. So their process and tagging websites is not transparent, and not in accordance with civilized societies.

It should be clear, that me, as user of this forum “cannot dictate policies of Let’s Encrypt” – certainly so, as otherwise I would already be modifying the policies, and simply publish it. That is dictating.

Google does not have this kind of dialog with their users. They are simply wrongfully accusing parties and go with it, they are large company, so who dares to sue Google?

What I am writing, and not dictating, is that Let’s Encrypt shall be transparent and not follow the wrongful accusation practice conducted by Google.

When website is wrongfully accused to be malicious, it looses orders, clients, money, business…

To be tagged malicious it may easily be considered by public to have illegal or criminal activity.

Such wrongful accusation are not in the level and kind to the Let’s Encrypt.

While it is easy to consider such websites, tagged by third party’s non-transparent process, just as yet another number and of “no importance”, the real people are behind it and families can be destroyed due to such accusations.

Let’s Encrypt need an attorney who is to stress what means Innocent Until Proven Guilty

Or is Let’s Encrypt to follow the path so that something as the following may happen?

There is good EFF article on what is online libel and defamation:

Conveniently, I'm an attorney (in the U.S., whose law governs your dealings with LE), so I know a thing or two about legal liability. And no, there's no legal liability if I, a private individual or company, privately accuse you of something, whether or not I'm right, and whether or not I have any decent reason to believe that it's the truth. I can tell you, privately, that I think you're a murderer, without any reason to believe that's true, and there's no legal liability created there. And to the extent that Let's Encrypt is accusing you of anything, they're doing so privately.

Secondly, Let's Encrypt isn't accusing you of anything. They aren't saying, "your domain serves malicious content"; they're saying (correctly) that Google has flagged your domain as serving malicious content. Truth is an absolute defense against a claim of defamation. So even if Let's Encrypt were making that statement publicly, it would not expose them to liability.

Third, even if LE were publicly claiming that your site were malicious, that probably wouldn't expose them to liability, as it probably wouldn't be negligent of them to believe that Google was correct. This is a weaker point, though, and would need to go to a jury (the above two points wouldn't get that far).

Fourth, the principle of "innocent until proven guilty" means that the government cannot punish you for a crime until they have proved your guilt, and the burden is on them to prove it. It doesn't mean that a private entity can't refuse to serve you for any, or no, reason (with a few exceptions that have nothing to do with guilt or innocence of anything). You don't have a right to a trial and proof of your guilt before a business decides you're too risky to do business with.

Fifth, your issue here is with Google. If there's any affect on your orders, clients, money, business, etc., it results from Google listing your site as malicious, not from LE refusing to issue a cert because of that listing. People and companies sue Google all the time, sometimes even successfully. You may or may not have a case against them (ask your attorney if you want to pursue that), but that's where your issue is.

I bolded the important part. When you say "shall", you are dictating. You are stating what must be, as though you have authority to require it. That's (part of) why I gave you the benefit of the doubt and assumed you weren't a native English speaker, as that could explain your misuse of the word. If you're trying to state your beliefs on what policy should be, "should" would be a more appropriate word to use.

Indeed there is. If you'd read it before posting, you wouldn't have repeated the ridiculous assertion that Let's Encrypt exposes themselves to any liability by refusing to issue a cert to sites who are listed by Google.

The fundamental issue is that users have been (wrongly) conditioned to associate the padlock with a trustworthy site. They shouldn't do so; it doesn't mean that, and never has. But nonetheless, they do. CAs can take a variety of approaches to try to deal with this; this is the method LE has chosen. They have a blog post on the subject here which explains their stance. I'm not sure I completely agree--I tend to think a CA should issue a cert to anyone who can demonstrate domain ownership--but their CA, their rules.

try comodo, startssl, sslshopper

certificates are about $10 a year from paid CAs

LetsEncrypt was not accusing you of anything. It did not let you issue a certificate becaue you did not pass a check. This is well in line with teh subscriber agreement (which you had to agree to to use the service)

image.png1375×762 102 KB

As @danb35 your issue has nothing to do with defamamtion.

LetsEncrypt did not publish the fact that your domain was on Google Safe Browsing list. In fact NO ONE would have been any wiser if you didn’t post it on this forum.

Andrei

@dan35

As an attorney, then you should make distinction of integrity and ethics versus the laws. I know that attorneys in general do not mind of the first, the put stress on the second, the law.

I do not feel affected by Google neither the Let’s Encrypt, neither I write here any more from view point of the personal issue.

The issue is the issue of integrity and civilized standards established in the society such as United States, not to accuse anybody of wrong doings.

It is quite clear that ISRG may in its sole discretion refuse to grant the request for Let’s Encrypt certificate.

Yet that power to refuse the certificate shall not, in a civilized society, be at any time based on the wrongful accusation, regardless if such wrongful accusation has been published by giant corporation such as Google.com

So the subject is not any more my domain, rather the corruption of integrity from the ISRG part and effectively not being able to accurately estimate who is malicious and who not.

@ahaw021

I understand that you don’t understand what I speak about. It is not any more issue of my own domain. I was surprised that ISRG and Let’s Encrypt rely on Google Safebrowsing. As I consider Let’s Encrypt a noble project for safer communication in the world.

And earlier in time I discovered that many of the online “watchdogs” such as Google Safebrowsing, the Firefox reports, Macafee, WOT, and similar, may be influenced by the anonymous members of the “community”, who may maliciously tag the website to be malicious.

There is no way that Let’s Encrypt may ensure that website is not malicious in future of the usage of the SSL certificate. That is also part of the Subscriber Agreement, that there are no liabilities for those using the SSL certificate on the part of the ISRG.

For this logical reason, that ISRG nor Let’s Encrypt shall have no liabilities in the future for the subscribers of the SSL certificates, there shall be no need to consult “third parties” and trust them blindly with the information that some website is malicious or not, as that ruins the noble character of Let’s Encrypt, and destroys the values of the society that shall not consider anyone malicious without evidences brought up in the courts of law.

I was addressing the law because you repeatedly made the nonsensical claim that Let's Encrypt was exposing themselves to legal liability in refusing to issue to domains who were listed on Google's Safe Browsing list. That's a legal issue, and has nothing to do with integrity or ethics, nor with your peculiar concept of "civilized standards". But if you're as concerned with integrity and ethics as you claim to be, you'd do well to avoid blanket statements that attorneys in general don't care about those issues.

If you're conceding that you were completely wrong on the legal question, and you're now wanting to shift the question to more nebulous issues like integrity, ethics, and civilized standards, fine. In that case, as I see it, there are two key questions: (1) is it any of the CA's business who's getting the cert, as long as they can demonstrate domain control/ownership? (2) If it's proper for the CA to refuse to issue to phishing/malware sites, what level of care should they use in making that determination?

On the first question, I tend to believe that a CA should issue (at least at the DV level, which is what we're dealing with here) to anyone who can demonstrate domain ownership/control. I think the LE folks agree, conceptually, as they described in the blog post I already linked to. But they're also aware that way too many users put way too much trust in that little padlock--look here for a recent thread with this exact problem. So, at least for the time being, they're taking some effort to block phishing and malware sites. If you'd like to further discuss that policy decision, there's an existing thread for that purpose here, and further discussion would probably better go there.

On the second question, if we accept that it's at least acceptable for the CA to refuse to issue to phishing/malware sites, the remaining question is what they should do to identify such sites. Is it acceptable to rely on a generally-reliable third party, or must LE confirm each blacklisted site on their own? I believe it's perfectly acceptable ("ethical", if you prefer) to rely on a third party, if that third party is generally reliable in making that determination. "Generally reliable" doesn't mean perfect. A fairly low rate of false positives, combined with an effective method for affected sites to contest their listing, would be necessary to consider the third party "generally reliable" in my view. And to the best of my knowledge, both of those conditions are true of Google's Safe Browsing list.

You refer to "the values of the society that shall not consider anyone malicious without evidences brought up in the courts of law", but there is no such value in this or any other society. And in this particular case, that would be entirely impractical. In the first place, it would be ridiculously expensive, as a separate court case would need to be filed for each domain proposed to be blacklisted. This takes an attorney's time (which costs money), and (at a minimum) a filing fee with the court, which is typically hundreds of dollars for each case. You then need to figure out how to serve the opposing party. You're looking at thousands of dollars before you even get to the point of a court hearing evidence. And that's for each domain. In the second place, it would take several months, at a minimum, before a court would hear any evidence of anything.

Well if there is no such value for you, there is for society. I have given enough references that any average educated person may verify.

I wish you good luck

Nonsense. I don't believe there is any society, worldwide, that has a widely-held value that nobody may be considered malicious without evidence first being heard in court--and despite your claim, you have provided no references at all to any such societies. I'll readily admit that I'm not a sociologist, so I suppose it's possible that I'm wrong and there is some such society, but even if there is, it isn't the United States. There is such a value (indeed, a legal principle) that limits the government--it's considered improper for the government to take adverse action against you without evidence, normally heard in court--but we aren't dealing with the government. We're dealing with a private organization.

Think for a moment about the implications of your claimed value. It would mean that no person could make any judgment of another, positive or negative, for any purpose, on any basis other than evidence heard in court. It's preposterous, and completely unworkable--there aren't enough courts to even begin to make all the judgments that would be required. And even you aren't behaving in a way that's consistent with it. After all, you're judging Let's Encrypt as lacking integrity, and there's certainly been no evidence heard in court to that effect. And you're (at least implicitly) judging me as less than "any average educated person", despite at least two courts having heard evidence to the contrary.

Now, if you instead state the value as "do not consider anyone malicious without evidence", I'd agree with you--we should not make judgments of others, and particularly in ways that affect those others, without evidence. But if that's the value, then LE isn't violating it--inclusion on Google's list is evidence of nefarious history. It isn't conclusive evidence, to be sure, but it is evidence.

I’ve closed this topic. The conversation isn’t especially constructive at this point and the original issue as well as the remediation steps available have been explained. Thanks all.