How to report abuse?

Hello

The website at https://www.adultwork.uk.com is a fraudulent phishing website. The free certificate provided by Let’s Encrypt is adding some level of authenticity to the Site.

I have reported the domain and Site to the relevant parties but how too can the certificate be revoked? (and/or - how do you report abuse of the Let’s Encrypt platform?)

Thanks

Alan

I believe the correct address for abuse reports is at the bottom of https://letsencrypt.org/repository/ (“Certificate Problem Reports”), however Let’s Encrypt may be reluctant to revoke this certificate - they only certify that your connection to given domain name is encrypted (a.k.a. DV - Domain Validation), not the identity of the person/organisation behind the website (or whether the website is safe to use).

See also blog entry https://letsencrypt.org/2015/10/29/phishing-and-malware.html and related discussion thread The CA's Role in Fighting Phishing and Malware.

2 Likes

You should also report it to Google Safe Browsing:

https://safebrowsing.google.com/safebrowsing/report_phish/

This will block the website in every major browser except IE/Edge* in a much more efficient way than certificate revocation, which browsers almost never check, and will prevent the website from obtaining future certificates from Let’s Encrypt (and many other CAs).

*IE/Edge uses their own filter called Microsoft SmartScreen. If you want to report it to them, there is an option in the Help menu in those browsers.

2 Likes

Thanks for the report, but our current policy does not allow us to revoke certificates for suspected phishing or malware sites. We recommend reporting such sites to Google Safe Browsing (as @patches suggested, thanks!) and the Microsoft Smart Screen program, which are able to more effectively protect users.

If you’d like to read more about our policies and rationale we have shared more detailed thoughts here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.