Reason for not publishing list


#1

I will be quite straightforward: Why isn’t the high risk domain blacklist public?

I would prefer to get this question answered by a Let’s Encrypt official, rather than other people guessing the reason.


Pros and cons of 90-day certificate lifetimes
Policy forbids issuing for name: db.de
#2

No answer here? Why?


#3

This is one of those thing that we’ve thought about making public but just haven’t finished considering. It may happen in the future. This is true of a number of things, but we have limited resources and a lot on our plate.


#4

Is it that difficult to just publicize the list by pasting the file onto the Git repository of Boulder?


#5

I believe what Josh was talking about was considering whether it would make sense to publish the list, or if it would involve any risks. The actual effort of maintaining that list would probably be no biggie.

I’m curious: Why is it important? It seems to be like anyone affected by this could learn about it quite easily by trying to get a certificate for their domain, and for everyone else it’s not really a problem.

It’s not that I’m really opposed to this, though I’m not familiar with the Baseline Requirements (and the relevant sections in the CPS) that dictate there should be a procedure for high-risk domains, so I can’t really say if it would be a good or bad thing in that context. I just don’t see the value of this list.


#6

I will be quite straightforward: Why is this important at all?

This has already been discussed in other threads, and the only sites that tend to be rejected are ones that are deceptive or can be used for phishing (e.g. in another thread someone was complaining that they couldn’t get a site named after a core component of Windows, windowsnotificationcentre.com and was claiming it was a “M$” conspiracy).

The only other ones denied are government sites for countries on the US sanctions list.

Besides, my understanding was Let’s Encrypt is using Google’s blacklist, so you should really be asking Google for the list, not LE.

I’m with pfg on this, it’s simply not important and I really hope Let’s Encrypt isn’t wasting any resources on it.


#7

What is an example of a “high risk domain” in this context?


#8

I provided an example from a previous thread: windowsnotificationcentre.com. This is high risk because Windows actually has a Windows Notification Centre, and the domain could be used to trick people into installing malware or providing personal information.

Other examples off the top of my head would be sites like itunes-update.com (for the same reason above) or common misspellings like microsorft.com. Basically anything that isn’t part of your name or business that can only be used for deceptive purposes.

This isn’t a blanket thing of course. There was a German gmail.de operating for years before Google decided on that name. Google tried to buy the name and when the owner refused, took him to court. The original owner rightfully won.

The other type of domain that LE won’t encrypt are ones they legally can’t, such as government sites for countries the US has sanctions against. These are not likely to ever come up (I can’t imagine Iran’s equivalent of a Department of Defence asking Let’s Encrypt to encrypt www.defence.gov.ir).

Basically, nobody but scammers and tin-foil hat owners are worried about such a “blacklist”, which is why Let’s Encrypt aren’t putting any energy into it.


#9

I will respond with a question: Why not to make the list public?

You ask me why it is important to make the list public, I ask back why it is important to hide the list.


Pros and cons of 90-day certificate lifetimes
#10

One good reason for hiding such lists is usually security.

The list consists of “high risk” domains …

If I had access to that list, and I was not a nice person, I’d look at the list of banks etc, and see where there were any gaps. Was there something that was close enough to a software or online service that would fool people, but not actually on the list, and could I get that domain. I’d then get a cert for that domain.

If the list is not published, I’d have to guess a few times, purchase those other domains etc. and it’s much harder for me.


#12

We all know you’re a nice person! You’re infinitely more patient than I am! :grin:


#13

Could some of the domains on the list be associated with serious criminal activity, and thus publishing such a list could give rise to liability or criminal trouble?


#14

You’ve already been given an answer: it’s not public because it’s a waste of time even to think whether it could be made public or not.

Now once again, please provide a reason for making it public, if possible one important enough to justify spending the required time.


#15

Isn’t transparency one of the important goals of LE? ISRG even publishes a legal transparency report. So, not publishing such a list is definitely not being totally transparent. There is the reason: Absolute Transparency in everything.


#17

it is not JUST LE’s list.
LE uses both their own list of “high risk domains” and the Google Secure Sites or whatever that was called.
there were already here and there questions on why their name was blocked (there was somebody with a ing domain and seemingly didnt know that there was a bank with that name, maybe it isnt known on his part of the world) and what got even more confusing is that the list was changed and it worked before.

I think we need a nice little talk about security by obscurity.

let’s look at this from another perspective:
guess why Linuxes are usually quite a bit more secure than for example Windows? well I would say because they are open source and anyone can point out flaws and even fix it and if someone does junk, the next one will straight remove it.
The following wouldnt apply to an LE Blacklist but let’ss say this: a closed piece of software could easily try to phone home or the gov while in open source software each transmission can be seen because people can just follow the code.

let’s hope this is a joke.
even if I dont like it that much, LE is THE CA for automation, dont say that it takes something serious to publish the list.
depending on the format I could write a PHP that reads and renders the list even realtime if you want.

also such a list could be commented so people know WHY their name is in the list. because sometimes it is not widely known for that person’s environment (for example who expects from a chinese to know all about the services of google or anything else that is usually blocked by the Great Firewall of China.)


#18

There is a huge difference between source code ( in which I agree totally the openness helps ensure linux is a little more secure) and data.

Having the source code for SSH available to everyone makes it much more secure. Providing everyone the data I use for my public / private key doesn’t though.

Having the process by which LE checks your domain for proof of ownership open source makes it much more secure. Specifying exactly which IP address it would always check from makes it less secure - hence that information isn’t published and LE state that they may use TOR or a similar method to ensure it’s from a randomized IP address.


#19

The list is basically a list of high-profile financial institutions, tech companies with a security focus, commonly targeted e-commerce sites, major social networks, certificate authorities, and some sites prohibited by the U.S. Treasury Department’s SDN list.


#20

well their IPs are something different than the blacklist.
the IPs are something LE cannot easily change to something desired and a whitehat cannot really do anything anbout it. but for the blacklists a whitehat cna point out those gaps and help LE fix those.

Providing everyone the data I use for my public / private key doesn’t though.

but then again most implementations on how people generate their keys are open source
the exact generation data for your key is secret and random becausethat is what is used to encrypt but the algorhythms are mostly open source. who would have thought about the debian weak keys issue.
before we get to the source vs list issue: the list is essentially an “algorhythm” to determine what domains are okay and what are not, so I think it would count here as a thing that should be public, again as I said as this allows whitehats to fill gaps. but what could also be done would be instead of a full list of each and every alteration that a user could enter their name and get the fitting entry so that for example that windowsupdatewhateversomething gets shown that it has association to windows and therefore is blocked.

@josh what is that SDN thing? when I just did a quick serach on “SDN” I mostly found software defined networking. is that such a bad thing it needs to be banned


#21

Exactly as been done here. The “algorithm” or methodology has been stated …

The pure data hasn’t.

Specially Designated Nationals List (SDN) - https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx


#22

Transparency [total transparency, and absolute transparency] was achieved when stating such a list exists, and when further disclosing information about ways in which that list is populated.

One does not need to divulge the specifics of internal security processes in order to be fully transparent – especially when the act of doing so would likely undermine their efficacy. Additionally, as others stated the lists may contain data assembled by other groups which may be covered by various contracts and non-disclosure agreements.