Our website just triggered the “considered an unsafe domain by a third-party API” rejection.
In this case, that is correct, broadly speaking.
Is it possible to request an exemption from the API result? Issuance Policy sounds like the right area.
The denied certificate is for https://malware.wicar.org/ which hosts safe/test “undesirable payloads” for http://wicar.org/ - a website designed to be the antivirus EICAR equivalent for Web, hence the W
I don’t know what APIs are checked, but I know Google recently flagged it and the objection to please delist was ignored.
The purpose of WICAR is to be able to safely test network defences. For example, a corporation might have firewall IPS signatures, then AV scanning HTTP proxy, then content filter, then desktop AV. Users can visit the WICAR website to see where their security controls “see” the threat and choose to block. Or if they fail, the test may actually reach a desktop and execute. Given the possibility, it is desirable to have WICAR safe payloads which execute calc.exe instead of testing from a public blacklist of actual infected websites and e.g. cryptolocker ransomware that might infect the organisation if newly deployed security technology doesn’t work as expected.
However the malware host must continue to host fake payloads, and SSL via LetsEncypt was added so that visitors can also test their SSL-inspection anti-malware defences given SSL and TLS is often abused to deliver browser attacks which sneak past IDS/IPS/AV which cannot strip SSL for analysis and (thanks to LetsEncrypt!) is becoming the norm.
Any help? Thanks!