I have some questions related to revoking certificates.
- Does Let's Encrypt and/or the ISRG accept petitions from the public requesting the revocation of certificates for website(s) that are involved in egregious criminal activity? (Example: the public steps up when law enforcement fails to act)
- When websites using Let's Encrypt certificates are found to be involved in criminal activity, what is the process for Let's Encrypt to effectively review and take action?
- What evidence/proof is required to assist Let's Encrypt review of the offending website(s)?
Policy Reference: (LE-SA-v1.2-November-15-2017.pdf, page 5, section 4.3, subsections v and vi.)
P.S. Apologies if the category was incorrectly selected.
Welcome to the Let's Encrypt Community
Thank you for your responses. The articles mentioned in your replies refer specifically to computer crimes. The types of crime I am referring to relate to extreme violence against humanity specifically non-consenting women and children (coersion, intimidation, blackmail, rape, CSAM, CP, violence, extortion, trafficking, etc.). If the public is able to provide you sufficient evidence, will you revoke certificates on your own without asking LE authorities to get involved? Please explain the escalation process with or without LE intervention. Sincere thanks.
It’s likely not going to happen. ISRG is focused on automated systems and tries to stay content unaware. This stuff becomes complex very fast because of jurisdictional issues — what happens when the domain is registered in a first country to an entity in a second, and hosted in data centers in a third, fourth and fifth? It’s a web of potential legal and liability issues for a small nonprofit that offloads much work to the open source community and volunteers like you see here.
The best place to address your concerns is to file abuse complaints with the hosting provider or networks. They typically have dedicated legal and compliance teams that specialize in this, and will be able to quickly de-platform the offender.
You can find their contact info by determining the IP address the domain resolves to and then using https://Whois.Arin.net to do a reverse IP lookup.
A somewhat-related topic is here:
Not the sort of criminal activity you're talking about, but also not cybercrime. There, as here, the answer really is that it isn't the CA's issue--they certify only that the holder of the certificate demonstrated control over the domain name in question. While their TOS reserve the right to revoke certs in the case of criminal activity, they don't in any way obligate Let's Encrypt to do so, and I'm not aware of any mechanism for Let's Encrypt to consider petitions of the sort you're asking about.
And, IMO, that's as it should be. The cert doesn't demonstrate anything other than domain control, and shouldn't be seen as demonstrating anything else. And revoking it for any other reason undercuts that truth.
Also, If Let's Encrypt decided to start revoking certificates for various criminal offenses, how would different legal jurisdictions be handled?
What if the content in question is illegal in various countries, but legal in the United States where LE is based? Or what if it's illegal in the state LE is based in, but legal in the state of the website operator? (slander laws or something maybe?)
I'm no lawyer, but I can see that opening a whole can of worms I bet LE would prefer stays shut. Other entities such as local / federal law enforcement, network operators or browser vendors are much better equipped to handle this.
I myself considered approaching Let's Encrypt about this very topic a while back. Now that I've been around here for awhile, I have gained a greater understanding of the complexities involved with such requests. My recommendation is to bring awareness of such activities to the appropriate authorities. If and when the powers that be deem it necessary for Let's Encrypt to become involved then that bridge can be crossed.
For now, I strongly recommend reporting such concerns to the National Center for Missing and Exploited Children. If you don't feel comfortable reporting directly to such a government entity, you can also submit a report through the Association of Sites Advocating Child Protection, which was founded by various entities within the adult entertainment sector.
Thank you for your response. I'm glad to hear someone feels the same way I do. I am also trying to understand what can be done. I wanted to at least find out if a website can be de-cloaked by shutting down its ability to run secure traffic. But then they'd be forced to pay for certs somewhere else.
I live in a "five eyes" country that (appears to) refuses to investigate and prosecute. While NCMEC and ASACP are valuable organizations, they are proxies of information, therefore they are powerless whenever authorities do not take action. Someone at some point must take a stand and demand NO. It's a moral decision to act no matter who or what you are.
Humanity is doomed when crimes committed are so heinous and complex that the authorities won't even touch it. And so it continues.
This article is 4 years old and I'm not sure if browsers still largely behave the same way as they did when it was written, but it highlights why trying to rely on certificate revocation to bring down malicious sites won't really work even if Let's Encrypt did revoke the certs.
Going along with what @rmbolger has mentioned, revocation only serves to provide a means for cooperative software (e.g. browsers, applications) to voluntarily determine if a certificate should be considered valid. Since a certificate is (usually) just a map between a domain name and a public (and private) key, there is nothing inherent in the actual (mathematical) process such that a revocation will prevent encryption from happening. It's
all up to the browser/app to contact a third party (the CA). Essentially, from the CA's perspective, all encryption/decryption operations happen "offline" (meaning without the CA being involved). This is a huge benefit for the efficiency of the CA (and the server using the certificate) by not requiring the CA to be inherently involved in the process and thus not complicating/loading the CA with additional operations. This is, of course, at the cost of lacking in direct governance of certificate usage.
A revocation is... more like guidelines, really.
If you're looking to visit something horrible, I'm fairly certain you can tell your software to ignore revocations.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.