Name is blacklisted on renew

I tried to renew my domains (I got 3 domains), all went fine except my domain ing.rs with this message:

Error: malformed :: The request message was malformed :: Error creating new authz :: Name is blacklisted

Where I can find reason or solution for this problem as certificate should expire today. Is there something as deblocking?

I register this domain in beta program 3 months ago. I did renew this domain 2 months ago and everything worked fine, but now it failed.

Domain is not high rated at all and I don't think there is no security treads or any other legal problems.

1 Like

Hello @cobisimo,

I’ve checked your site in virustotal and seems your site is clean. The only thing I could think about your domain being blacklisted is that its name is too close to ING Bank.

But the actual reason can only be answered by Let’s Encrypt staff members.

Note: It should be good to have a contact form to report this kind of issues to Let’s Encrypt staff.

Good luck,
sahsanu

I went ahead and flagged the post for attention. Hopefully one of the LE staff will get to it soon.

@josh sent a message to me directly (possibly confused by me flagging the post) with a response. I'm including it here:

3 Likes

It would great if @josh would explain what is the definition for an “high risk” and if this list is public visible.
I can understand that an “Bank” ist on the list but the same should be apply to medical supply. Since the
high risk of fake medicament’s. Also for pages related to “women houses”, Next what about Webmail
servers to avoid phishing.
So there start the real security and where it goes to wide?
ing.rs vs ing.com => Blacklist
db.de vs db24.de => These are two different big German company’s there no one would suggest and misuse.

1 Like

Financial institutions are probably the biggest targets for phishing campaigns. It would definitely be nice if the CA/B Forum could come up with a set of rules that define “high-risk” domains and how CAs should handle such cases, but without those rules this is probably the best option for now.

@pfg if i am an hacker i would say the primary target is WebMail or SocialMedia accounts.
Because if you get access to these account you can place content into the inbox, see private information,
request password resets. That allow you to gain access into the physical world. High chance to
answer security questions. Via dropbox or similar you can more easily install an rootkit.
So all this would allow to gain access to the bank plus additional security pages.

A high risk domain is one for which there is a high risk of confusion which might lead to abuse, particularly in terms of malware or phishing campaigns. It’s typical for CAs to not allow issuance to such domains.

Our list was created by identifying top phishing targets and blacklisting their domains with a combination of TLDs. In this case that initiated this thread, “ing.com” was blacklisted but so was “ing.rs” and a number of other TLDs (e.g. “ing.net”, “ing.co.uk”, etc…).

Obviously our list isn’t comprehensive in terms of all the possibilities for abuse. No CA’s is, one has to draw the line somewhere. Our list includes about 200 domains/entities.

We regularly review the high risk domains blocklist and discuss the policy around it, especially in light of our stance on CA anti-phishing and anti-malware enforcement.

2 Likes

OK 200 "names" on the list is at least an number that show that the list is not to extensive.
Who is "we" in case of the review, because in case of ing.rs the owner got an certificate first time
did not violate the LE policy in any point and now is denied the certificate.

Now what happens if the person had pinned you ca and an second ca with HPKP ?
But CA's could say we will not issue because you are on an high risk list.
And since you must have an backup PIN with HPKP it is no problem.

Was the under point 3.2.4.3 (CPS) mentioned procedure be run to get more information about "ing.rs" ?

We probably won't unblock it, unfortunately you'll need to get a certificate from another CA.

If this statement from motoko is correct, i guess since LE is full automated there is no procedure to request more information for high risk domains. And with 200 names on the list and 1096 TLD's this mean without name variations like GO0GLE you mention explicit you block over 200.000 names for "risk" registrations.

I know this sounds hard but i think the whole process around "high risk" and what it is is not as publicly as it should. .

Hi @cobisimo,

Sorry for the delayed update here.

We tweaked our system of generating a list of high-risk domains in December. The new list expands name.com to name.TLD whenever the owner of name commonly registers it in each TLD. It looks like that was over-inclusive in this case. We’ll plan to fix it in the next couple weeks and get back to you when it’s ready.

1 Like

is the list publicly viewable?

Not at the moment, sorry.

This is now fixed and you should be able to reissue for ing.rs. Sorry for the trouble!

1 Like

Hi,

we have same error: Error creating new authz :: Name is blacklisted.
Domain is ccb.cz. Is it on blacklist? We have private server on own IPs

Any suggest?

I tried unofficial client (https://github.com/Neilpang/le) and it said:
new-authz error: {“type”:“urn:acme:error:malformed”,“detail”:“Error creating new authz :: Policy forbids issuing for name”,“status”:400}

How can I check that domain ccb.cz (mail.ccb.cz) is on blacklist and how it remove?
Other domains working.

Hi, i tried to get a certificate for gmail.hu (yup, it’s not owned by Google), but got “Policy forbids issuing for name”. Any chance, i will be able to get a cert for it?

well I dunno about ccb but gmail may be tricky because it most certainly is a risky domain name.

On one hand i would also not issue gmail.hu.
On the other hand i would lay open the policy and names that are listed as high risk.

  1. It was said only some bank names.
  2. Than it was extended to large shopping sites.
  3. Than we see that is also includes software sites.
  4. Now we see also it includes large mail sites.
    @jsha do you still stay with the statements that only less than 200 names are blacklisted ?
1 Like

We’ve never claimed that the list was only bank names, or large shopping sites, or software sites.

Here’s our methodology to fill in the main part of our blacklist: We started with the Alexa top 1k domains. This was both too aggressive and not aggressive enough. There were a number of domains in that list that we didn’t consider high enough risk to prevent issuance.

Our security officers manually reviewed the list to trim the list, ending with less than 200 “names.” They’re from all categories - banks, shopping, software, online services, and more.

At the same time, we added the notion of “permute.” Specifically, there are a number of domains, like “google” or “hotmail,” where domain.TLD exists and is registered to the same entity in almost all TLDs. However, in smaller TLDs the domain.TLD may not have enough traffic to wind up in the Alexa top 1k. So we introduce the notion of “permuting” a domain: If we believe a domain to be in this category, we blacklist it in each TLD.

I think it’s the case that we’ve been over-inclusive about which domains get the “permute” treatment for the blacklist. I’ll talk with other folks on the team about doing another pass to see which domains really should get that treatment.

What can I do to make our domain (ccb.cz) was on the whitelist?
Is it possible?