Please revoke SSL on this scam site
One of the SSL certificate registered with you is openly used on fraudulent sites. Domain [yourglobaldeal.com] (https://yourglobaldeal.com/) used to host a fake trading exchange. Please initiate a review it and revoke SSL.
Thanks for your work.
That's very nice, but will LE refuse to renew the certs of bad actors? Sure hope so.
Please read
No, because Let's Encrypt is not the Internet police. (That's a good thing.)
Snark aside, though (sorry), it's not good to permanently block a domain name from certificates just because it may have been compromised for a brief period. Depending on the nature of the offense, it could put a lot of innocent users at risk, or at least wrongly punish an innocent future owner of the domain.
Ultimately, CAs have nothing to do with the content of websites or the behavior of web properties. They just verify control over DNS zones. Concerns with regards to the law should be brought up with law enforcement, the actual web host, or the domain provider.
I'm old enough to remember when CAs did some diligence and the browsers believed when a CA declared a site belonged to a certain entity. Wasn't perfect but it would've stopped usps-onlinestore.com. LE is enabling them to do their scam. Without LE, or rather, browser's trust in LE, you practically couldn't get to the scam site.
That was true when the Internet only had a handful of websites using SSL.
But even before Let's Encrypt, CAs' cheapest certs (DV) only validated DNS records.
Even the most expensive certs, EV certs, could be spoofed:
Turns out CAs aren't the right tool for stopping malicious sites on the Internet.
I read it, and at the end of it, it says
At least for the time being, Let’s Encrypt is going to check with the Google Safe Browsing API before issuing certificates, and refuse to issue to sites that are flagged as phishing or malware sites. Google’s API is the best source of phishing and malware status information that we have access to, and attempting to do more than query this API before issuance would almost certainly be wasteful and ineffective. (Update: As of January 10, 2019, we no longer check domains against the Safe Browsing API.)
The link is to an ex-cathedra pronouncement that "We’ve stopped checking with Google Safe Browsing primarily because Domain Validation certificates are intended solely for use in securing the transfer of data between a site and its visitors."
So the browsers shrug, the CAs shrug, the DNS TLDs shrug. I guess we need a Great Firewall.
Anti-phishing is handled by services like Google and Microsoft’s tools meant specifically for that. They are able to respond much faster than revoking certificates, on the scale of minutes instead of days. All mainstream browsers check those services.
Blocking TLS certificates for suspected phishing sites does not take them offline, and does not stop them from phishing.
What? That is non-sequitur. No one is calling for a Great Firewall. No one is "shrugging."
Like mentioned above, the proper venue for handling illegal activity on the Internet is law enforcement agencies, web hosts, and domain registrars.
I understand that you're frustrated, but this is not the first time a square peg has tried to be shoved into a round hole.
LE is "shrugging": "not our problem". Everyone says that. I am the one calling for a great firewall. If it's nobody's job to prevent access to obvious and well known scam sites, then it must be the government's job, right?
I'm advocating for doing what's obvious and easy, return to using some criteria like an API that would flag certain CNs as ineligible for renewal. (Because I really don't want the Great Firewall).
Everyone does not say “it isn’t our problem”.
https://safebrowsing.google.com/safebrowsing/report_general/
https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest
Submit phishing pages here. Browsers will alert users.
Your frustration is clouding your memory. The scenario you describe refers to EV certificates, which have never been the norm. And while they still exist, the browsers are no longer giving the obvious UI indications they once did, because they've been proven time and time again to be useless.
But fundamentally, you're making the same mistake so many others have made before you, that of believing that a cert means more than it does. All it means--and all it has ever meant--is that the website you're communicating with has validated control over the name on the cert. That's it. It does not, and cannot, mean anything else. It promises you private communication, but your private communication could be with Satan himself.
@hughw you have the personal choice of not visiting sites that are using Certificates issued by Let’s Encrypt.
You also have the personal choice of not trusting sites that are using Certificates issued by Let’s Encrypt.
You own your own security policies and profile.