This post is just an open question to this company and it's members.
I have noticed a bunch of scam websites recently. Lots of them use Let's Encrypt as certificate providers. I have no knowledge about how it all works, however, I am curious as to whether the users of your service are vetted in any way whatsoever.
I find it strange that a scam website can have a certificate that states "Connection is secure" when the reality is just the opposite. The connection is 100% insecure and only there to steal sensitive data.
So I guess I have a few questions:
How can scammers get this "secure connection" certificate so easily? Is there no way to prevent this? Why is nothing being done about this?
For an example of a scam website using your service, you can visit: shnsryj[.]lol/uk
CA's are not the place to do anything about it.
Things are being done elsewhere.
See: VirusTotal - URL
Because a link is secured by a certificate doesn't mean the content it safe.
If you come to a door with many super secure locks on it and knock.
What do you expect will be on the other side when it opens?
No, the connection is in fact secure. The fact that you're communicating securely with someone that you didn't want to be isn't in the scope of the certificate.
That's a fair comment. When HTTPS (certs) was first introduced it was described as being "secure". At the time online banking and payment systems were early adopters. You can imagine why it was important for them to have all exchanged info be encrypted
HTTPS was (and is) far more secure than sending all comms as clear-text HTTP. That info can be intercepted by various kinds of "in the middle" comms devices - wifi hotspots, network routing and caching systems, and others.
The "marketing" of that was almost too good. Making people think that was the ONLY thing needed for security. This was never true. It is also why browsers today have started to de-emphasize the "secure" icon in the address bars.
