Discusses how letsencrypt enables cybercriminals by issuing certificates to phishing sites. Although it has always been possible to create domain validated SSL for any domain under your control the low cost of entry is what makes letsencrypt stand out.
I have read a number of posts about phishing sites and it appears to me that letsencrypt abdicates its responsibility in this arena. At least I could not find any information that specifies proactive action.
One of the most important things to remember or know if you don’t already, about phishing sites is that they are not long lived, they are quick hit sites. so “normal” reactive methods are already too late. Certificate cancellation or relying on browsers safe site settings kicking in is too late.
Its important to realise a site does not make it onto the lack list until after damage has been done.
The last thing anyone wants is letsencrypt to be tainted by such activity as has happened to TOR.
To make it harder for phishing site operators to perform their bad deeds it is far better to be proactive rather than reactive.
One way to do this is to add a mechanism that inspects the request and automatically refuses anything that may be too similar to a high profile website like paypal.attack.moc or even poypal.attack.moc or just poypal.moc detecting such similar names is not hugely difficult.
The difficult part is a manual review process. When a legitimate site is blocked enabling a method to override the block so the certificate can be issued.