If you're on the Safe Browsing list, people will probably have some issues connecting to you normally. It's currently one of the best sources for sites that have been flagged as harmful. If your site is on it, it's not too painful to fix the issue and get removed before getting that certificate issued. A lot of other issuers will also use the same or a similar resource.
If the list becomes unreliable, LE could switch sources. Maybe they could use the source for McAfee SiteAdvisor, or Yandex's list then.
The ISP’s should be held responsible. If they allow spammers to use their networks, there should be consequences, no new certificates from that IP range until the ISP “fixes” the problem. I’ve only ever closed one users account due to intentional spamming.
This TrendMicro blog/site/whatever is REALLY posing a GREAT OBSTACLE to integration of ISRG Root CA in browsers by trying to convince the readers that LE is more dangerous than other CAs. I believe something has to be done here. Maybe clarify this once and for all on a pinned thread here on the forums?
And something else: I would think that the blog/site is “affiliated” with some commercial CA that has MUCH to lose if free DV certificates are fully implemented!
No concrete evidence can be found, because all procedures are internal and hidden from plain sight, except for Mozilla, but even there not everything is viewable. (SalesForce database - I think - is not viewable for individuals) However, I can see that commercial CAs are trying to stop ISRG Root from being trusted: Actually, there is evidence here: This post: Letsencrypt's validity duration affecting SE ranking? - #5 by CvP
Clarify that LE's intention is not to check whether malicious content is delivered at all, but whether the Subscriber owns and fully controls the domain name. And that exactly this is the purpose of DV certificates. Nothing more, nothing less.
That post is @jsha saying that cert duration doesn't affect Google ranking. Further in the thread is discussion stating that commercial CAs are trying to dissuade customers from using LE certs by claiming that the 90-day duration will affect Google ranking. I don't see anything in that thread discussing anything relating to inclusion of the ISRG root CA.
Accessing the UI of the SalesForce system itself requires individual authentication but all the reports from it are published and linked from Mozilla’s site. So for example when Kathleen sends out a communication to the CAs in the form of a survey, you can read what was sent, and you can see their replies, but you can’t log into SalesForce to add your own replies, you’re not a CA.
You should probably read https://groups.google.com/forum/#!forum/mozilla.dev.security.policy to best follow along with what’s happening. For ISRG the answer is “not a lot”. After a while probably Kathleen will conclude nothing more of substance is going to be said, and approve the application. None of this happens in a hurry.
I have a Synology NAS, I use dynamic DNS and Let's Encrypt, If have to do whois authentication I will not be able to use LE to protect my NAS, Because i am not dynamic DNS domain owner.
Hi @JackLee, I think you might have gotten confused about the subject of this thread.
Let’s Encrypt does not use whois data at all. @My1 was talking about other certificate authorities’ practices here.
Synology NAS users have had a lot of success getting certificates from us using the methods that we actually do support. If you do a web search for something like “let’s encrypt synology”, you can read about lots of other people’s experiences—most of which seem to have been successful.
no problem. by the way what I opsted that you replied to would in theory not affect your cert at all unless the domain owner actually had something against you getting a cert, because my proposal was just that the CA gives a quick infomail about the cert creation to the domain owner.
Yes, I'm going to revisit this 6-year-old topic because LE's stance is just dumb. It was dumb 6 years ago and it's dumber now. Google's Safe Browsing API is nowhere near as effective as it used to be.
Everyone passes the buck - registrars, hosting companies, and CA's. From the time malicious content is reported it can take hours, days, or even weeks for the abusive content to be addressed. And Let's Encrypt is shirking any responsibility at all.
Please take a look from Let's Encrypts side: they have about 285 million active certificates currently and that number is growing. And a significant percentage of that enormous number will indeed be used for malicious websites, such as scamming or phishing.
BUT: Let's Encrypt (ISRG) is a non profit organisation funded by sponsors and has a very small team. What exactly do you expect from Let's Encrypt? Are you expecting them hiring hundreds of people actively and manually vetting reported sites? Do you have any idea what that would cost? That would probably mean Let's Encrypt would either cease to exist entirely or you'd have to pay for a certificate that's now free.
Or do you have a better solution? Or did you just want to complain and rant instead of constructively participate in this discussion?
If someone uses a sharpened pencil to commit murder...
Do we push to ban pencils OR to ban pencil sharpeners OR do we ban both?
OR do we agree that doing either of those makes no sense?
You need to realize that a lock on a door doesn't say anything about what will be found on the other side of that door.
LE can only provide the secure "locks" to web site "doors".
It can't, and shouldn't, try to enforce how any such lock is used.
There are plenty of "law enforcement agencies" to handle that.
And it seems you too @BradR are passing the buck to all those you listed. @BradR you should check for yourself is safe and appropriate for you, then if the registrars, hosting companies, and CAs all seem believe that the site is safe, then dip your toe in a little bit. Gain confidence then go deeper. @BradR there are plenty of resources out there to assist you with your own research.
As an example, perhaps LE's partners, such as Cisco could provide LE with access to threat feeds (eg: Talosintelligence) determine which sites have been flagged as malicious.
I am capable of recognizing malicious websites. But not all businesses and consumers can. I report sites I encounter but the registrars and cloud hosing companies can take days or weeks to address the malicious content.
I'm not expecting "random people" to filter my content. I have layers of security but occasionally malicious content slips through.
With ransomware and data exfiltration, consumers and businesses facing billions of dollars a year in costs to remediate. I'm simply stating that more can be done by those I've mentioned.
for a certificate that's now free.
