Misused certificates


If you’re on the Safe Browsing list, people will probably have some issues connecting to you normally. It’s currently one of the best sources for sites that have been flagged as harmful. If your site is on it, it’s not too painful to fix the issue and get removed before getting that certificate issued. A lot of other issuers will also use the same or a similar resource.

If the list becomes unreliable, LE could switch sources. Maybe they could use the source for McAfee SiteAdvisor, or Yandex’s list then.


The ISP’s should be held responsible. If they allow spammers to use their networks, there should be consequences, no new certificates from that IP range until the ISP “fixes” the problem. I’ve only ever closed one users account due to intentional spamming.


This TrendMicro blog/site/whatever is REALLY posing a GREAT OBSTACLE to integration of ISRG Root CA in browsers by trying to convince the readers that LE is more dangerous than other CAs. I believe something has to be done here. Maybe clarify this once and for all on a pinned thread here on the forums?

And something else: I would think that the blog/site is “affiliated” with some commercial CA that has MUCH to lose if free DV certificates are fully implemented!


Is there any evidence that this piece of FUD has any bearing on the inclusion of the ISRG cert in the root store of any browser or OS?

Clarify what, exactly?


No concrete evidence can be found, because all procedures are internal and hidden from plain sight, except for Mozilla, but even there not everything is viewable. (SalesForce database - I think - is not viewable for individuals) However, I can see that commercial CAs are trying to stop ISRG Root from being trusted: Actually, there is evidence here: This post: Letsencrypt's validity duration affecting SE ranking?

Clarify that LE’s intention is not to check whether malicious content is delivered at all, but whether the Subscriber owns and fully controls the domain name. And that exactly this is the purpose of DV certificates. Nothing more, nothing less.


That post is @jsha saying that cert duration doesn’t affect Google ranking. Further in the thread is discussion stating that commercial CAs are trying to dissuade customers from using LE certs by claiming that the 90-day duration will affect Google ranking. I don’t see anything in that thread discussing anything relating to inclusion of the ISRG root CA.

Is clarity lacking on this point?


Accessing the UI of the SalesForce system itself requires individual authentication but all the reports from it are published and linked from Mozilla’s site. So for example when Kathleen sends out a communication to the CAs in the form of a survey, you can read what was sent, and you can see their replies, but you can’t log into SalesForce to add your own replies, you’re not a CA.

You should probably read https://groups.google.com/forum/#!forum/mozilla.dev.security.policy to best follow along with what’s happening. For ISRG the answer is “not a lot”. After a while probably Kathleen will conclude nothing more of substance is going to be said, and approve the application. None of this happens in a hurry.


I have a Synology NAS, I use dynamic DNS and Let’s Encrypt, If have to do whois authentication I will not be able to use LE to protect my NAS, Because i am not dynamic DNS domain owner.

Sorry for my bad english


Hi @JackLee, I think you might have gotten confused about the subject of this thread.

Let’s Encrypt does not use whois data at all. @My1 was talking about other certificate authorities’ practices here.

Synology NAS users have had a lot of success getting certificates from us using the methods that we actually do support. If you do a web search for something like “let’s encrypt synology”, you can read about lots of other people’s experiences—most of which seem to have been successful.


Thank for your reply, I understand what you mean, also understand @My1 thoughts, forgive my bad English


no problem. by the way what I opsted that you replied to would in theory not affect your cert at all unless the domain owner actually had something against you getting a cert, because my proposal was just that the CA gives a quick infomail about the cert creation to the domain owner.