I am curious to know if there is a process an organization could complete to request a certificate be invalidated by Let’s Encrypt due to the certificate being used to impersonate or maliciously represent a legitimate organization. How should someone do this?
Let’s Encrypt only provide DV certificates (which guaranty that the communication is secure with the website, not the identity of the entity behind it), not OV or EV ones (which gives more details about the entity behind a given domain).
If it’s a phishing domain, please see https://letsencrypt.org/2015/10/29/phishing-and-malware.html
If that domain is against the law (because it impersonate your company for example) you may contact the authorities and/or the registrar of that domain, or the hosting provider.
3 Likes
While I hear what you are saying, I have to point out that Let’s Encrypt, while doing a great service by making Certs available to all, they have allowed the nefarious and ner-do-gooders the ability to get cheap certs and really make problems for a lot of organizations. With the stance that Let’s Encrypt is taking, it seems that they are burying the head in the sand and saying go through law enforcement when we know how much time they have to investigate phishing. A way for this company to help all worldwide corporations would be to have a division that works with take down companies that they could report abuse and like other companies, work through those requests. We all have to do our part to help in the fight against these nefarious and wrong companies.
Who says it’s Let’s Encrypt’s job to decide what domain is legitimate or not? All they do is confirm you are securely connected to the domain listed in the address bar.
A program such as Google Safe Browsing is much better equipped to handle this matter.
1 Like
What is the CA's proper part in this fight? You assume it to be greater than I (and more to the point, Let's Encrypt) believe it to be. The CA's certificate verifies that the the holder of the certificate has demonstrated control over the domain(s) named in that certificate--that's it. It is not, and never has been, any assurance that the holder of the certificate is honorable, trustworthy, or anything other than a complete scoundrel.
So you propose that a nonprofit whose entire operation is based on completely automated certificate issuance and renewal triple their staff to do manual reviews. Think about this for a minute, and I think it will be obvious why this suggestion is unworkable (even if it were accepted that it's something that's legitimately the CA's role, which I don't).
2 Likes
I am simply making the case that since Let’s encrypt became mainstream, the number of nefarious domains run by nefarious actors are increasing. I don’t have the answer, but I feel that if a company comes to the table with a product, and that product is being used to increase crime and generate revenue loss for companies, who operate within the lines of the law (mostly 
) then that company does have the responsibility to be part of the solution.
The CA’s potentially need to incorporate a way for valid companies to report abuse and have a mechanism for action from the CA. For instance, if I put up a website target.click and have a full clone of that site with a let’s encrypt certificate and Target requests a takedown through a third party, either the take-down company or Target themselves should be able to request from Let’s encrypt that this is a clone of the site, being used for malicious purposes and should have their certificate revoked based on the activities they are engaging in.
Why do you feel this is the CA's responsibility, rather than the domain registrar's? Let's Encrypt is a free, non-profit service so their resources to handle abuse claims are naturally limited. The registrar is actually making money off the domain purchase, so they seem better suited for it.
Plus, going to the registrar will be more effective. Certificate revocation doesn't work very well since popular user agents don't actually check OCSP. The revoked cert will still show up as valid for most users. But if the registrar deletes their authoritative DNS records, the site will go down worldwide as soon as it falls out of caches.
A domain-validating CA's job is to verify that a hostname and and a public key pair are controlled by the same entity, nothing more. Verifying the trustworthiness of a web site is completely out of scope for the project.
Also:
I am simply making the case that since Let’s encrypt became mainstream, the number of nefarious domains run by nefarious actors are increasing.
Do you have a source that says phishing/fraud sites have increased substantially since Let's Encrypt launched? (Obviously the number of such sites using HTTPS has increased, but that's true of the web as a whole so it's not really relevant, I'm sure phishing sites use modern HTML and JavaScript as well.)
2 Likes
@OTO If you know of a fraudulent site, please report it to Google Safe Browsing:
Malware:
https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en
Phishing:
https://safebrowsing.google.com/safebrowsing/report_general/
This is a standard practice Cryptographic certificates only provide a way to prove one’s identity. They do not say that someone is good or has a right to perform some action. In this way they are more like a birth certificate than a driver’s license. You can report a birth certificate being lost or stolen (get certificate it “revoked”) and get a new copy of the birth certificate (get a new cert), but someone else can never revoke your own birth certificate.
3 Likes
But you are, in fact, target.click, so the certificate is valid. If someone is using the certificate to prove that target.click represents Target Corporation, they're misusing it.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.