Misused certificates

I ma hoping @josh or someone else from LE can comment on the following (@schoen) excerpt from an article about the TrendMicro report. I have bolded the parts I find troubling.

Let's Encrypt automatically issues domain-validated (DV) certificates to websites by checking the URL's phishing status against the Google Safe Browsing API. Once issued, Let's Encrypt does not monitor the certificates or take any action afterward. Even if Google later flags the domain as malicious, Let's Encrypt will not revoke certificates.

"It would be impractical and ineffective," said Josh Aas, executive director of the Internet Security Research Group. ISRG is the group managing the Let's Encrypt project.

Let's Encrypt will not be revoking those certificates issued to the subdomains used in the malvertising attacks, "but it looks like the sites in question have been taken down," Aas said.


This implies that Let's Encrypt will NOT be revoking certificates that are reported for misuse. However, from my reading of the CA/B Forum BRs this is required. I previously started a thread where I cited the relevant BR sections.

Im not suggesting that LE should be actively re-checking the Google Safe Browsing list and revoking existing certs when flagged. But if a cert is reported to be used for phishing/distribution of malicious software/phishing attempts, is it Let's Encrypt's policy to revoke these certs?

1 Like