SSL Certificate Issues / CAs enabling Scammers?

Well, it was on the expected lines. The thread where I highlighted the complicity of CAs was locked by the moderator / someone from Chrome team. It is fantastic to know that all roads seem to lead to Rome. No wonder no one is accountable my friends.

Aaron Gable you quoted CA Browser Forum's regulations from their published document. That section simply covers the baseline requirements. It does not cover what the CA is supposed to do if a breach is found. So you are quoting the wrong section.

The same document outlines Section 4.9.1.1 that clearly states that it is the duty of the CA to revoke the certificate when breach is found.


Section 4.9.1.1 which states that "The CA SHOULD revoke a certificate within 24 hours and MUST revoke a certificate within 5 days if one or more of the following occurs: Under that in point 2: It says - The CA obtains evidence that certificate was misused; .

CAs are not doing that, they do not have the mechanisms in place to revoke the certificates within 5 days. Look at the entire thread, people are simply trying to absolve the CA of any responsibility. That's a very myopic view of how to safeguard and improve safety and security for the consumers on Internet.

Well, the good thing is that we are documenting this entire process now and the next step would be to go to all the sponsors. We understand that this is a marathon but I promise this is just the beginning.

If any of you really care about making Internet safe then you should carefully review the role of basic certificates in enabling online scams. If you are working at Google, then you can evangelise this internally as well.

Google is not Internet. Why should we have to go to two private companies to resolve the issue? Someone has to take a stand, dear friends as I said this is just a beginning. Please don't take this personally.

We are simply curious to know which CAs want to play ball and which ones want to turn a blind eye.

Finally, if CA Browser Forum does not address something properly, we will get that changed too. We are already starting to see a lot of concern from people in the administration.

What does misused mean in this context? If your domain is i.am.a.spammer.spam and you control it, the certificate is not misused.

5 Likes

@lestaff, you didn't want my input on the last one, so it's all yours.

5 Likes

I do not agree with you. If your domain is you.are.a.swindler.com and you are impersonating another credible American Business, then as a CA you are very much responsible. Does the charter not get governed by the law of the land? In USA, impersonating an american business is a crime. Is that not a "misuse"?

Having said that all answers are on the expected lines. Every response helps us, trust me, to highlight this even more. Thank you for that.

Do you have any case law to reference?

That's nothing more than one opinion, not common law.

I dislike spammers, so much so that I operate an IP block list with more than 30M IPs in it.
But I also understand the problem here.
And you are putting the blame or duty on the wrong party.

5 Likes

For background, it is important to understand the distinction between a few different kinds of certificates that exist.

Domain Validation (DV) certificates convey only one piece of meaning: the entity which has control over this domain name wants this domain name to be associated with this public key.

Organization Validation (OV) and Extended Validation (EV) certificates convey the above, as well as information about the business or other entity which controls the domain, such as their name of incorporation, locality of operation, and more.

Let's Encrypt does not issue OV or EV certificates. The certificates issued by Let's Encrypt are all DV, and therefore only indicate that the entity which controls a domain wants to use a particular public key in order to negotiate TLS encryption.

In this context, "misuse" would be something like using that certificate to attempt to do something other than negotiate a TLS handshake. Examples of such include using the certificate to sign a code artifact, or using the certificate to secure an email message. Using the certificate to secure communication between end-users and the domain in question is not misuse -- that is in fact the only correct use of the certificate.

If the certificate is being used to secure communication with a domain that is impersonating a business, then it is the domain (or its operators) that is liable for any accusations of impersonation. The presence of a DV certificate has no bearing on the contents served by the domain, nor whether those contents constitute a crime.

I would like to emphasize: all of the above is established Root Program policy, not just a changeable stance taken by Let's Encrypt. Let's Encrypt abides by the policies set by the Root Programs (e.g. Firefox, Microsoft, Apple, and Google) in which Let's Encrypt's root certificates are trusted. Those policies are clearly outlined by each Root Program's individual requirements, all of which include the Baseline Requirements.

It sounds like you would like to hold CAs to a different standard that the current Root Programs do. That is understandable. If you would like to make that change, I suggest you establish your own Root Program which will only include CAs which abide by your requirements. If CAs find it desirable to be included in your Root Program, they will change their practices to match your requirements.

P.S. I suspect that you will find responses here to be more welcoming if you do not alienate the people who might be willing to respond. For example, a very quick inspection of my profile will show that I do not work for Chrome or Google; that was my previous job. Similarly, I would point out that statements like "I promise this is just the beginning" may sound like threats -- if that is not your intent, I would encourage you to think critically about your phrasing; if that is your intent, I would encourage you to change your intent.

14 Likes

That's a crime, a matter for the courts.

Nothing concerning a CA.

You're directing your anger at the wrong organisation. The scammer deserves it. Let's Encrypt doesn't.

5 Likes

To add on this: it's exploitable as well.

You can get an EV certificate with any organisation name you want, you just need to incorporate a paper company somewhere.

4 Likes

Let's take this to brick-and-mortar businesses for a clearer understanding. Let's say that you own Mendy's restaurant and hired a security company to install a safe and an alarm system in your building and a food delivery company to get supplies. Let's then say some shady characters steal your recipes, open Bendy's restaurant, and hire the same security company to install a safe and an alarm system in their building as well as the same food delivery company to get supplies. To the security company, Mendy's and Bendy's are both simply customers who want their buildings secured.

Do you:

a. Go after the security company
b. Go after the food delivery company
c. Call the police
d. Contact a lawyer about your criminal and civil rights against the thieving business

7 Likes

Dear Aaron,

I will respectfully agree to disagree with you as well as some other members of this community. It is "Scam enablement" written all over it. I have a list of at least 150+ online scammers (that we have painstakingly collected) that are using Let's Encrypt's Domain Verification Certificates. Almost all of them are based out of countries like Nigeria, Pakistan, Philippines and India.

I think it will be futile to play a legal ping pong on this thread but it is very clear that Certificate Authorities simply don't think that they should be held accountable. That is a trust issue. I am not the only one who understands how "CAs" are contributing to these online scams, other do too. Here is another news story that clearly outlines the problem:

As for the legal precedence, there are a few where CAs and Registrars have been instructed to revoke the credentials. The reason I bring this to this forum is because again and again certificates (does not matter which type) issued by Lets Encrypt are coming to the fore.

Today you may not think this is a problem and CAs should not be held accountable but I have a strong belief that it is just a matter of articulating this to the US Congress on how the non-profits are becoming enablers of putting American businesses and consumers at risk.

Again as I have mentioned before this is not personal and yes at times the frustration seeps through.
Finally answering your "this is just the beginning" certainly has a clear meaning. It means that we will evangelize this issue to its logical end. Either we are right or some of CAs are right issuing certificates left and right.

This has to stop. I understand it will take a lot of directed effort on our part but please keep in touch while we keep on talking about it and doing something about it at the right forums.

I don't see any reason for anyone to feel threatened if they believe they are doing the right thing by consumers and American businesses.

Thank you for making your stance clear.

I don't believe there is any further discussion to be had in this thread. I encourage you to work with the CA/BF to establish new requirements if that is the kind of change that you want -- if the root program requirements are updated to state that CAs must revoke certs which are being used for phishing or impersonation, we will of course comply.

I encourage other members of the community to let this thread lie, continued interaction will likely not be beneficial to any parties involved.

9 Likes

Well, if you belong to an organization willing to stamp out bad, illicit, fraudulent sites around the world, Please share a link so we can join the fight!
Cheers!

6 Likes

I have to disagree with the implications of the term "enabling" being used here.

If tomorrow a fad starts where people stab each other with wooden pencils...
Are we supposed to put the responsibility on anyone that sells wooden pencils?
Are we supposed to stop manufacturing them?
Anything and everything can be used for good or not.

Two things that may effectively mean the same thing but come out very differently:

  • I'm having this "trouble", what can/should I do to "correct it"?
  • I'm having this "trouble", you are responsible for my "trouble" and must do something to "correct it" immediately!

I do see/understand the "crime", I just don't see the corrective focus going into the right "force(s)" nor it being addressed in a manner that garners any support nor the desired result.

4 Likes

Clearly your world view is different than mine. I will continue to assert that CAs have a legal and moral responsibility to avoid "enabling" the scammers. There is no other way to describe it. Who said that this is the only forum we are making a noise at? We are knocking doors of every possible avenue and as I have mentioned, we have just begun. We are determined to evangelize this to its logical end.

We dont have to agree. Its funny how these wooden pencils, locks and locksmith examples are being thrown to justify tacit complicity. I don't think that any of you don't understand this issue, I just wonder what motivates some to let American businesses and consumers suffer? Two wrongs don't make a right. CAs are certainly have a role to play in making internet unsafe. You would say safe and I would say thank you. Good luck!

Let me put in a clearer and concise (debatable) argument:
If HTTPS didn't even exist (no CAs to be found), the scammers would still be scamming (via HTTP).
[http://G00GLE.com/] not [https://G00GLE.com]
Who would be to blame then?

  1. the domain registrar that issued them a lease to a "similar/confusing" name
  2. the scammers
  3. the humans that fell for the "trap"

Add HTTPS and now the CA that issues a cert (all of which would do so, if you are already able to obtain the domain from a registrar) is the one to blame?

  1. the CA
  2. smart phone manufacturers [whose phones are everything but smart]
  3. the web browser that doesn't spot the obvious similarity
  4. the world

I know this will go on deaf ears.
No, I'm not biased nor prejudiced in any way.
I'm just a realist.
We can find faults in everything we look at.
But are those faults avoidable? Intentional/deliberate? Harmful? Easily preventable?
In this particular "case", as for any CA's role, I don't really see more than one possible "yes" to any of those questions.
Unfortunately and potentially harmful? Obviously.
[but many such products are sold with only "warning labels" all over the world each day]
Intentional/deliberate or avoidable/preventable? There is no system even in place to address this at this level. [again, wrong audience to hear such a complaint]

5 Likes

We all understand the issue. It is valid.. and we all know it. The link you provided is seven (7) years old. It doesn't mean that it is not valid. But there is a reasonable standard of truth. Your claims are dated. You are not standing on your identity. (if there is none) But the premise is valid.
How can a CA police the internet?
There are too many examples of the realities of life on the "internet".
Why target opensource CA's. I don't see a great opposition of commercial CA's here.
Let's Encrypt's mission is to "certify the web". What objection could any one have for that?
Some one abuses it?
Get a grip.
You haven't given us any reason to support your claim(s)
If someone comes to my door and says.. "you are not complaint" .. The first question I would have is "Who are you" and "Show me your credentials"
There are no credentials here. There is no I am XXX. Nothing.
Whoever "we" is, is BUNK!

5 Likes

Great, you guys are operating like a gang harassing people who come with genuine complaints and using whataboutry and community standards to put others down. I shared my genuine ID to register and Lets Encrypt team can easily identify it.

Shame on you guys. You have no idea what will all of this lead to. I am documenting each and every action. I am now getting more and more convinced that you have some vested interest one way or another. You want my Id, share yours and I promise you will hear from me as soon as I see it.

You guys need to stop using this community forum to attack new people who come here. I have a strong opinion on these practices but that does not mean you guys will gang up and attack.

Learn a few things from Aaron, he talked nicely, was empathetic and the conversation was civil even though I disagree. Don't worry you are doing Let's encrypt a great service. Someone tried to ask you guys to butt out of this conversation but many of you cannot let it go, isn't it?

Keep it up, I am documenting everything. Thank you.

1 Like