Issued certificate to scam website

Hello,
I see you have issued a certificate to a scam website, they've been doing it for a while now.
The website in question is seller-dwarf.ru
Here's a few victims seller-dwarf.ru отзывы - Интернет-магазины - Первый независимый сайт отзывов России
I'm also a fool that got scammed by them. I'm pretty sure you guys wouldn't issue a certificate knowing that it's a criminal enterprise, so I do hope you will take the appropriate actions against them.
Thanks.

2 Likes

You're roughly the hundredth person to post about a similar issue, and like all the rest, you're reporting the issue in the wrong place. Here's the Let's Encrypt policy on such matters:

5 Likes

Thanks,
I read into it after making the post. Too bad this happens, since consumers do have an increased degree of confidence when seeing that the website is certified, especially with money involved.
A few people have reported this site for phishing to google but it's still alive and well, clean to all engines.

3 Likes

And that, really, is the problem. A certificate does not mean, and has never meant, anything about the bona fides of the website operators--it guarantees only that (1) the website is who/what it says (by its domain name) it is, and (2) your data isn't going to be intercepted or changed in transit. The site operators can be scoundrels, criminals, or the literal reincarnation of Adolf Hitler--the cert doesn't address that in the least, and it never has.

5 Likes

@danb35

Very true brother. I mean, irs.gov has a certificate...

:grin:

It's not an EV certificate either.

5 Likes

This is one tweet I think describes certificates very well.

https://twitter.com/shanselman/status/187572289724887041

8 Likes

While i also feel fraudulent activities should be stopped from all aspect of the operation chain, I don't think revoking or stopping free certificate issuance from Let's Encrypt can do much. Beside Let's Encrypt, there are some other free certificate offerings from other CAs as well, and if the people behind the activity really wants, they can go with a paid certificate (slightly increase their cost).

I don't recall any well-known CAs are explicitly filtering websites regard phishing or other issues. (Probably due to the overwhelming number of websites spawn up every day) Even Sectigo has the following line in their report abuse help page.

"Certificate Authorities like Sectigo do not regulate in any way whatsoever the content of a particular web site, nor do they control or monitor the business practices of any web site operator. Specifically, a Certificate Authority cannot moderate or adjudicate transactions where the consumer has been misled or where the site owner has acted badly."

I think the proper steps, instead of reporting to certificate authorities, should be involving your country's law enforcement agency and after that, you can submit reports to the domain's registrar, hosting provider, and then ICANN if the registrar didn't do what they are supposed to.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.