Please REVOKE this certificate IMMEDIATELY!!! Also, I am interested in getting the cert registration information from you to send to law enforcement. I am very interested in the chain of custody and proof provided to register the cert.
Thanks for the report. Our current policy does not allow us to revoke certificates based on the content of websites, including for suspected phishing, malware, fraud, abuse, or otherwise objectionable content.
We recommend reporting such sites to Google Safe Browsing and the Microsoft Smart Screen program, which are able to more effectively protect users. Here are some reporting URLs:
If you’d like to read more about our policies and rationale, you can do so here:
That is incredibly unfortunate. You are enabling crime with such lax restrictions. I guess since there is nothing that can be done (many thing CAN be done but WON'T be done) more people will succumb to crime. My friend got lucky and called me first. Others won't be as lucky.
As a result I am now a strong advocate for LE to get their CA revoked. At least make an attempt to stop crime.
I understand your frustration, and I think this is absolutely an area where reasonable people can disagree. I would ask that you give our blog post a close reading and consideration, and reach out to the reporting services that are better positioned to take action about this kind of malicious site.
Thank you. I am very familiar with certs, hence how I got here in the first place by determining who the CA was. And usually when you register a cert they verify who you are. The cert is tied to an entity. I am interested in who the registering entity is.
File a report with the network's abuse@ , or similarly listed address.
If the website is using branded elements of a large company, one can also reach out to their abuse and legal contacts. These are often listed in the about/contact/legal pages.
Network operators and trademark registrants typically have legal teams that are dedicated to combatting this stuff. They can act quickly to not only fully deplatform the bad actors, but are also in the best position to identity them to law enforcement.
At best, a CA would only be able to remove the SSL lock - leaving the website in place. This would likely require multiple FT staff members to review and act on these complaints, and make the CA liable to legal action if there were false positives.
Additionally, due to inherent conditions and behaviors of the greater SSL Certificate ecosystem [such as OSCP stapling, browser behaviors, CA/B Requirements, etc], revoking a Certificate can take up to 10 days before it is reflected in a browser. This is why the major browser vendors – Google, Mozilla, Apple, Microsoft, etc – all run their own reporting and safe-browsing systems to more quickly identify and block security threats. They constantly push lists of dangerous sites to their clients for immediate blockage.
While CAs are responsible for granting the "lock" of a SSL site, they are simply in the worst position to remove the lock or deplatform a bad actor.