SSL used by scammers


#1

The certificates on the following websites has been issued by Let’s Encrypt Authority X3:

All these websites are used by scammers.

How one can identify the real owner of the certificate? Do you need to go through the court?


SCAMMERS using Let's Encrypt SSL Cert
#2

Hi,

Disclaimer: I’m not a LE employee, my say doesn’t represent anything (related to LE or other), only my solo opinion.

I think LE’s purpose is provide user a more secure web (away from havker, etc), not a authentic web. As a free certificate authority, they can suggest those in their policy, but it depends on the website owner to follow it.

You can’t really identify real website owner though (by yourself), perhaps the only thing LE can do is revoke their cert.


#3

This has definitely been discussed before. The best place to report these are to Google’s Safe Browsing service (https://safebrowsing.google.com/). Let’s Encrypt will not issue certificates for sites on this list, but it offloads the considerable task of maintaining such a blacklist to an entity more geared for that purpose.


#4

You can also report to Microsoft and Apple:

@kenorb, as other people have alluded to, Let’s Encrypt is only trying to confirm that connections are cryptographically secure, and not that sites’ content is not malicious.

If you want to pursue some kind of action against the site operator using the legal system, you might have the most success contacting the domain registrar. Let’s Encrypt knows the IP address from which a certificate was requested and the contact e-mail address (if any) which was provided on the account, but will not divulge this information without a court order. Apologies for the misstatement; please see below. The domain registrar ordinarily knows these things as well as the physical address that the domain registrant claimed to be located at and the payment method that was used to pay for the domain name, which might be less anonymous than the IP address and e-mail address.

Some domain registrars may also be willing to suspend domain registrations for certain kinds of abuse complaints.


#5

Depends on the certificate. There are three different types of certificates:

Only with the extended certificate you can know for a certain certainty the “real owner”, i.e., the legal representative of a domain. Which propably could be some sort of shell company…

Domain validation, which most certificates are, are just that: with aid of the public key infrastructure, you can be certain it’s actually the server responsible for the hostname you’re connecting to. And nothing more than that. It does NOT validate the CONTENTS of the site! Certificates were NEVER meant for that! It’s just verifying you’re actually connecting to the scam-site. It’s up to THE USER to check for scams or not.

It’s beyond me why people think the “green lock” says anything about the contents of a website. It only says the connection to the scam or phishing site is secure! Yay! Your credit card info isn’t interceptable by a man in the middle attacker when you’re st*p*d enough to fall for a scam-site with a green lock :stuck_out_tongue:


#6

I think that a lot of security education over the past decade oversimplified this and so it’s not surprising that some people understood it that way. In reality, “security” online could include all sorts of different threats, some of which could be from the site operator, some of which could be against it, and some of which could be against the communications between the user and the site operator—among other possibilities.

I don’t think it’s surprising that a lot of users internalized the idea that the presence of a lock means the entire situation is somehow legitimate. Unfortunately, that idea is counterproductive in our current environment.

Edit: a nice post from 2.5 years ago on this point:


#7

And since Let’s Encrypt has a focus on using software to automate certificate management, the IP address from which the certificate was requested was most likely the web server’s public IP address, which everyone already knows.


#8

Whenever I run into scammers and hacked accounts, I use the ARIN whois lookup (http://whois.arin.net) and report a scammer or abused server to the owners and abuse contacts of the IP range.

The IP range owners are usually pretty fast to look into this, because they want to keep their blocks off DNS blacklists.


#9

This is not strictly accurate. For the authoritative version of what we share and when, please check the Privacy Policy. In particular, the IP address from which ACME requests were made (usually the same as the server address) is not considered private, though contact information is. Also, the conditions under which Let’s Encrypt might share contact information are enumerated more explicitly there.

That said, I agree with what other folks have said: Your first, and best, bet is to submit domains to Safe Browsing and other anti-phishing lists. If you want to go further, checking WHOIS and contacting the registrar is a good next step.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.