Hi
My humble suggestion is to dedicate a person who looks at twitter.
For comparison companies like RapidSSL (DigiCert), Sectigo (Comodo) have strong twitter presence.
When a user submits a twitter post showcasing misuse of the Terms and Services the twitter accounts of SECTIGO and RAPIDSSL look into the issue, and resolve it, without the need of logging tickets to external systems, sending emails or abuse complainants.
In that regard LETS ENCRYPT has a lot to do in order to be better and more transparent. The service gets misused DAILY, and nobody on twitter @Letsencrypt even cares to reply.
Please hire a person to clean up the scammers spoofed certificates of lookalike clone sites.
I could pay you 5 dollars a month for this. If every community member pays 5$ a month this will become a full fledged salary.
Please don’t let LETS ENCRYPT to become the DE FACTO choice of scammers due to it being free, easy to deploy and lacking twitter support.
Also please don’t redirect me to useless abuse web forms. I think your staff ought to have resources to pick up reports directly from Twitter feeds.
Why are CAs supposed to be content police, when domain registrars and web hosts are the ones actually hosting the phishing sites? It is a completely bizarre responsibility to pin on a CA. This link might interest you as well.
They do not sell certificates like SECTIGO and RAPIDSSL , so they can't have dedicated staff to help people.
Let's Encrypt only guaranty the security of the communication with the website, not who is the entity behind that website. Scammers also use servers, domains and IP address. You could also report such website to Google/Bing .Contacting their hosting provider or the authorities of your country is also a solution.
A website using Let’s Encrypt is engaged in Phishing/Malware/Scam/… , what should I do?
We recommend reporting such sites to Google Safe Browsing and the Microsoft Smart Screen program, which are able to more effectively protect users. Here are the reporting URLs:
I agree and i report everywhere - Hosting, DOmain registrar, Google Safe Browsing, NetCraft< Urlhaus, Abuse.ch and so on.
That being said, I would like Let’s encrypt to step their game up and be able to absorb reports from twitter.
I do not have time to use their abuse forms and yada yada
I’d prefer want when i tag a bad site and @leyencrypt - someone to
see it
and
act upon it.
this is what this post is about
I can also give a small ammount of money for this initiative. If enough people chip in we can make it a salary.
do not give me generic advice
EDIT: i read the link you gave me
there is something nice there
At least for the time being, Let’s Encrypt is going to check with the Google Safe Browsing API before issuing certificates, and refuse to issue to sites that are flagged as phishing or malware sites. Google’s API is the best source of phishing and malware status information that we have access to, and attempting to do more than query this API before issuance would almost certainly be wasteful and ineffective. (Update: As of January 10, 2019, we no longer check domains against the Safe Browsing API.)
That means that all my reports to GSB and NetCraft automatically were linked to Lets encrypt!
GOOD! But why did it get disabled? The explanation looks like a “we are not a content policing entity watch dog, leave us alone and bother the hosting” “We’ve stopped checking with Google Safe Browsing primarily because Domain Validation certificates are intended solely for use in securing the transfer of data between a site and its visitors. This is a critical component of a secure experience, but it does not mean that a site’s contents are safe. The question of whether or not content is safe is not one that we can accurately answer, and it is outside the scope of certificates and HTTPS.”
nobody says anything about MUST.
this is just a suggestion / observation
on twitter there is a strong precense of infosec oriented people who report cyber crime (including phishing)
However having all vectors covered lowers the scammer’s success rate. The faster a bad site is taken offline the better.
Sometimes hosting companies are “bulletproof” and ignore reports. Revoking the TLS SSL is a nice way to circumvent those scams via another layer.
Let them exist, but no “padlock” and big red Google Safe Browsing warning = close enough to disabled.
Even for people who'd fall for a scam? I, personally, think that a padlock or not doesn't really matter in this.
Also, I think "teaching" people to trust the green padlock for the contents of a site is a bad thing! People should know that they can't rely on the green padlock for the reliability of the contents of a site! So by trying to get Let's Encrypt onboard with this whole scam police thing, you're setting a precedent by which people are thought the wrong thing.
I agree. I have even contacted many banks, asking them to redact their Phishing / FAQ page and put less weight on the “padlock” being an “universall safety net”
My comment is only regarding bulletproof hosting.
I normally approach Hosting, Domain Registrar and last (but not least) SSL / TLS provider.
Many also do not allow for sites like FakeEbay.XYZ to be registered as a TLD.
However fraudsters get around this, by registering GenericDOmain.XYZ
adding a cert to it.
and then addind subdomains like EBAY.GenerricDomain.XYZ
So the TLS/SSL Does have a role IMO, albeit not very big.
i do not advocate for padlock = Universal safety, on the countrary! I have also alerted many banks to redact their FAQ pages and put less emphasis on the padlock as a “panacea” for safety.
But even then: Let’s Encrypt is free and will stay to be free. And it’s automated and will stay to be automated. Certificates are generated faster than an army of this proposed Twitter-answering LE staff can handle. It’s just not feasible. It’s not useful. The green padlock would be back as soon as the previous one was revoked, assuming scammers would bother to do so. It could even be automated: previous cert revoked? Fine, I’ll generate a new one.
Even if the hostname would be added to some kind of block list, a scammer could automatically use another hacked host for it’s scamming business.
I just don’t see the added benifit here. Only someone who’s trying to add a lot of FUD to the Let’s Encrypt mission.
Well, to me, your openings post comes across a bit agressive, using sentences like "Let's Encrypt has a lot to do in order to be better (…)" and "nobody (…) even cares to reply".
It's of course great to think with Let's Encrypt, but to me it sounds you're on some kind of crusade where you've got all the answers (by suggesting a single communication channel through a commercial company) and Let's Encrypt is doing a terrible job.
I have marked my topic as “solved”, as it is not productive. Apologies for my rant.
They are not based on fiction, but facts backed up by statistics.
Last comment - by not answering to mentions on twitter, any company, not just lets encrypt leaves the impression of a “giant faceless corporation”, rather than a human oriented organization.
Even for the sake of a better public image, it might be worth worth it to have a person or social media team, even if they do not absorb abuse complaints.
Thanks for reading my thread and apologies for coming as a fud boi.
No doubt. But here are some points you don't seem to be accounting for:
LE has long taken the position that it isn't properly the role of the CA to be the spam/scam police. Initially, they ran new cert requests against the Google Safe Browsing list, but IIRC they've long since ceased to do that. If you can demonstrate domain control, you get a cert. Their position statement on this has been linked up-topic, and this has been the subject of extensive discussion here (see, e.g., here, here, and here).
Similarly, LE doesn't revoke certs simply because bad people are using them, or are using them for bad purposes. They revoke in the case of mis-issuance, or on subscriber request.
Your request (which sounded much more like a demand) was that LE adopt a new support channel, with dedicated personnel to monitor it, to do something they've long since said they don't do in the first place, and without any apparent consideration (or even awareness) of the foregoing points.
I guess there's some validity in the request that LE monitor Twitter mentions--for reasons that completely escape me, lots of people use it, and expect to be able to interact with businesses and organizations that way. But their response to all the reports you're talking about would be some version of "we don't do that. See https://letsencrypt.org/2015/10/29/phishing-and-malware.html."
Thanks! this list is a very nice treasure trove of information.
you are a good person for taking the effort to format it so nicely
and i am a bad person for sounding demanding
i apologize
I’m Jenessa, I do fundraising and indeed… social media here at Let’s Encrypt.
I do check our Twitter @ replies multiple times daily and respond from my personal account (or forward it to a member of our team) if needed. I also check and answer the messages if needed as well. Often it is to point people to this forum! As we use our resources really wisely (as a non-profit organization and a CA helping secure over 200M domains with 13 people) and we seek to have a great treasure trove of information here on our forum. You came to the correct place @spamreports! I specifically do not reply to people on Twitter from our Let’s Encrypt account (or very rarely) as we have this incredible forum where we can answer longer form and have it as a reference for years to come. What a great place we have here, what a great community to talk about policies and making the Web better.
I am thankful for the work you all do to make the Web an even better place - let’s keep going!
Best,
JP
Fundraising Specialist at Let’s Encrypt