Fraudulent USPS lookalike with a Let's Encrypt certificate

The fraudulent website uses a Let's Encrypt cert. Let's Encrypt ought to revoke the cert and prevent renewal in February.

Welcome @hughw

Please refer to this FAQ answer for the suggested way to report this. It also has a link for the ISRG (Let's Encrypt) policy about this.


It seems the word about this particular site [of which there are many] is getting around:


If revoking the cert is the expected cure, then you are not really protecting yourself from such sites.


It's not that the cert is the most effective way to shut them down. It's that it's criminal to knowingly do business with a criminal that enables that criminal to steal money from people. Refusing to renew the cert seems like a common sense policy.

The FAQ suggests reporting such sites to Google and Microsoft. Let's Encrypt, however, per policy , will continue to issue certs to these criminals.

If you've been notified, or if you have the capability via API to discover, that you're enabling criminal activity, you should stop doing business with them.

How does securing an HTTP connection lead to enabling theft? :thinking:

Do locks on doors enable criminal activity? Would removing the locks suddenly stop crime? If so, that would be a revelation. Similar to how @danb35 already explained, assuming that a secure connection to a site means that the site is safe is like assuming that a locked building won't have criminal activity occurring inside. The locks don't facilitate the activity anymore than the carpet does.


Cmon, that is a bad faith reply. You know very well that a site that has no certificate displays discouraging messages in browsers.

Yeah, just like a legitimate post office with broken windows or no carpet might discourage customers. The problem with an illegitimate post office is that it's illegally made up to look like a legitimate post office not that it has carpet and unbroken windows.


In my view, if you remove the certificate from a criminal web site, you might prevent some people from submitting their sensitive info. For those people who still do, you then have the even worse problem that their sensitive info was now exposed to even more bad people than the illegal site operators due to their information being sent without encryption.


It's no less bad faith than your demand that Let's Encrypt police the contents of sites using their certificates. Because make no mistake, that is what you're demanding. Sure, it seems straightforward that LE shouldn't issue certs to scam sites--but where does it stop? What about sites that handle other content that's illegal in certain parts of the world? Or that carry politically-disfavored material? Or that express opinions that LE just doesn't like?

LE has taken the correct position, IMO, which is that the CA isn't the content police. There are other avenues to address these issues, but the CA isn't one of them.


I mean, we could encourage lock makers to remove locks (and break windows and remove carpet) of businesses of assumed criminals, but it's likely those criminals have a larger staff and more dangerous means and motives than the lock makers to retaliate. I like our lock makers and would prefer to keep them safe and let alphabet law enforcement agencies with overwhelming staff, means, and legal motive by design take on the criminals.


You should know that when a "bad" site gets shut down, the criminal simply starts a new one - much like you starting a new topic after I closed the one you hijacked. (I noticed the OP of that topic seemed to understand what he was told.)

LE's purpose is to provide CA that show that the traffic between a website and the user is encrypted - nothing more. It is not LE's job to police the millions of websites using their certs. That's what law enforcement is for.

I'm closing this topic with the hopes you understand the explanations you've received between the two topics.