SSL Issued From LE Being Used in Credit Card Scam

This post may or may not be in the correct section, so please bear with me.

A friend of mine received a scam email which directed to the payment website:

This is the page that you are presented with:

Please REVOKE this certificate IMMEDIATELY!!! Also, I am interested in getting the cert registration information from you to send to law enforcement. I am very interested in the chain of custody and proof provided to register the cert.

What can be done to stop this abuse?

Thanks for the report. Our current policy does not allow us to revoke certificates based on the content of websites, including for suspected phishing, malware, fraud, abuse, or otherwise objectionable content.

We recommend reporting such sites to Google Safe Browsing and the Microsoft Smart Screen program, which are able to more effectively protect users. Here are some reporting URLs:

If you’d like to read more about our policies and rationale, you can do so here:

We collect little or no information about most subscribers' identity. Our Privacy Policy prevents us from disclosing subscriber information unless it is required by law, such as pursuant to a subpoena or other judicial or administrative order.


That is incredibly unfortunate. You are enabling crime with such lax restrictions. I guess since there is nothing that can be done (many thing CAN be done but WON'T be done) more people will succumb to crime. My friend got lucky and called me first. Others won't be as lucky.

As a result I am now a strong advocate for LE to get their CA revoked. At least make an attempt to stop crime.

That domain is using Cloudflare's CDN. Cloudflare's CDN obtained the certs on behalf of that domain owner. And, in this case got certs from both Google and Let's Encrypt.

In addition to James' suggestions you might also want to report it to Cloudflare


I understand your frustration, and I think this is absolutely an area where reasonable people can disagree. I would ask that you give our blog post a close reading and consideration, and reach out to the reporting services that are better positioned to take action about this kind of malicious site.


Thank you, I will. I hope in the future you change your position on the criminalization of your services, lest the government(s) mandate it for you.

I sincerely appreciate the quick responses to my posts.

1 Like

You need to understand what a certificate is certifying.

A Let's Encrypt certificate only certifies that you are speaking to a server that has been authorized by whoever controls the domain name.

If whoever controls the domain name is a criminal, then Let's Encrypt certifies you are actually speaking to the right criminal and nobody else.

There is no other check.

This is among the reasons browser don't show a lock anymore: https isn't safe, it's just encrypted.


Thank you. I am very familiar with certs, hence how I got here in the first place by determining who the CA was. And usually when you register a cert they verify who you are. The cert is tied to an entity. I am interested in who the registering entity is.

But thank you for your reply.

1 Like

In the context of DV certs, those entities are domain names, not people, not organizations.

And the information about the subscriber and their acme account, it might be completely bogus. The only thing identifying an account is its number and public key, maybe an unverified email address.

But in this case, it doesn't even apply: cloudflare got the certificate on their behalf. You'd only get cloudflare's details, and those you can easily find on their website.



If you suspected a building was being used for criminal activity, would you contact...

a. the company contracted to provide security for the building to request removal of the locks from the doors?

b. the law enforcement or other regulatory agency concerned with the type of crime suspected of being committed to file a criminal complaint?


Everything that has ever been made has, at some point, been used for good and not for good.
As such, certificates can be used in similar ways.

The mindset of "I see a lock, it must be safe" is one that unfortunately many have taken in error.
A lock on the door says nothing about what will be found behind that door.

So . . .
"Encrypted" doesn't mean "safe to use".
It never has.
And never will.


Additionally, people should do the following:

  1. Determine the IP address of the websites.
  2. Use to determine the company who is hosting the website on their network.
  3. File a report with the network's abuse@ , or similarly listed address.

If the website is using branded elements of a large company, one can also reach out to their abuse and legal contacts. These are often listed in the about/contact/legal pages.

Network operators and trademark registrants typically have legal teams that are dedicated to combatting this stuff. They can act quickly to not only fully deplatform the bad actors, but are also in the best position to identity them to law enforcement.

At best, a CA would only be able to remove the SSL lock - leaving the website in place. This would likely require multiple FT staff members to review and act on these complaints, and make the CA liable to legal action if there were false positives.

Additionally, due to inherent conditions and behaviors of the greater SSL Certificate ecosystem [such as OSCP stapling, browser behaviors, CA/B Requirements, etc], revoking a Certificate can take up to 10 days before it is reflected in a browser. This is why the major browser vendors – Google, Mozilla, Apple, Microsoft, etc – all run their own reporting and safe-browsing systems to more quickly identify and block security threats. They constantly push lists of dangerous sites to their clients for immediate blockage.

While CAs are responsible for granting the "lock" of a SSL site, they are simply in the worst position to remove the lock or deplatform a bad actor.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.