Why does let's encrypt issue SSL certificates to fraudulent sites

The purpose of a certificate is to provide assurance to the web user community that the site in question is secure and valid.

I have found yet another fraudulent web site in which Let's Encrypt issued a certificate - https://insightcreditunion.life/pc.html.

My prior topic on this subject was quickly closed with (basically) the excuse that Let's Encrypt isn't in the business of revoking certificates of fraudulent sites.

This is contradictory to the whole purpose of the service you all are supposed to be providing.

Additionally, I've seen other posts in this community where someone has had the same issue I'm posting about, and it seems many in the community agree with Let's Encrypt's position.

In effect, Let's Encrypt is providing a false sense of security to web users. The exact opposite of the actual job of an SSL certificate authority.

That's a misunderstanding of what a DV certificate provides.

You would help the "web user community" by helping educate them on what a certificate actually provides. And, educate on tools they can use to avoid fraudulent sites. Things like Safe Browsing options in browsers or extensions that do similar.

Here's a quote from the Let's Encrypt policy

Let’s Encrypt is going to be issuing Domain Validation (DV) certificates. On a technical level, a DV certificate asserts that a public key belongs to a domain – it says nothing else about a site’s content or who runs it. DV certificates do not include any information about a website’s reputation, real-world identity, or safety. However, many people believe the mere presence of DV certificate ought to connote at least some of these things.

Treating a DV certificate as a kind of “seal of approval” for a site’s content is problematic for several reasons.

The full policy is at this link

10 Likes

The only thing that a certificate assures is that your connection is private (as in, no one else hears what you say). You can have a private conversation with the devil* itself too. Does that make their words trustworthy, secure and valid?

*Replace devil with whatever evil entity you believe in (any religious entity, the IRS...).

This is not specific to Let's Encrypt: This applies to all other certificate authorities as well. No one provides more than a very simple assertion of an identity. Anyone claiming that certificates attest anything about trustworthiness is either clueless or outright lying.

10 Likes

I recommend reading Let's Encrypt's actual principles and mission statement. It probably isn't what you seem to think it is.

The purpose of a CA isn't to allow for "trust" in the sense that you think it is, or to validate that a web site is "good" or even "legal". Its purpose is purely infrastructure to allow for web browsers to know that the site they think they're connecting to is actually the name they think they are. There are plenty of good organizations trying to prevent Bad Things on the Internet, and many of them are working to solve the problems you see. It's just not the job of the CA part of running the Internet.

11 Likes

Interesting. I find the concept of a domain validation certificate troubling. Most users who take the trouble of viewing certificate information are not clear on this. After all, the browser states clearly that the connection is secure and the certificate is valid. This is misleading at best. In fact, if you browse the certificate details, nowhere does it indicate that these are domain validation certificates and should be trusted accordingly.

To make matters worse, if one were to do a "whois" on these sites, you'll find that their registry name is redacted for privacy.

It seems to me that if these domain validation certificates and/or private registry names were prohibited, there would be a significant reduction in fraud on the internet.

Also, "Bad Things on the Internet" is pretty subjective. That's a good reason not to delegate filtering.

This web site does not supply ownership information.

5 Likes

True. Browsers generally hide the information, basically trying to make TLS the norm and only flagging something that isn't encrypted at all. And people digging into certificate information may not know the meaning of what they're looking at, no. But that's a pretty small minority of users.

Yes. Definitely one challenge is that the problems that a "secure" connection and valid certificate solve, aren't the problems that most users care or think about. (In part because it's just basic infrastructure of getting the user to the site in their address bar, kind of like DNS.)

The kinds of problems of "the site with this domain name isn't trustworthy" tend to be solved by browsers having separate lists and heuristics. That's why we recommending reporting "bad" sites to those programs, and maybe to their hosting providers and such. They're the ones who have the power to help protect users. And they're much more effective than trying to put something in the advanced certificate details which are meaningless technobabble to most users.

I mean, it's Certificate Policy 2.23.140.1.2.1, which one can find buried in there if one knows where to look. :wink:

Well, even an Organization Validated certificate that has an organization name doesn't really mean that it should be trusted more. It's easy in many jurisdictions to create a "real" organization with any name one wants. And knowing the name of an organization one is connecting to might mean something, but doesn't mean that it's really trustworthy (or that the server is only running code intended by the organization, if an organization got hacked themselves).

Maybe, but it just might be an increase in shell company names, and a decrease in regular people being able to just communicate anonymously (especially people under authoritative oppressive governments). Certainly it's a tradeoff, but the general consensus is that it's better for The Internet to allow for more access, with separate protections to try to help prevent Bad Things.)

6 Likes

When someone browses to a fraudulent site that has a similar URL, and looks and feels exactly like the actual site, the DV certificate does nothing to let them know that they are not on the site they think they are.

Neither do EV or OV certificates. There are examples of both issued to companies that are not the ones you expect.

On the other hand, extreme automation is the only reason Let's Encrypt can offer DV certificates for free. You cannot automate OV or EV.

8 Likes

No, it does not. It offers an encrypted connection between the user and the site. This is very valuable. People using open wifi systems, for example, won't have their data snooped.

Yes, bad actors cause trouble. It is frustrating. But much is needed to handle that. There is no single magic answer.

7 Likes

Here you're hitting the nail right on the head! The CONNECTION is secure. That's it. That's all. The CONNECTION is secure.

A browser and a certificate do not claim anything else. Not about the website, not about the content. Just about the connection.

In the past, there were things like "EV certificates" (Extended Validation Certificate - Wikipedia), but Google Chrome as well as Mozilla Firefox decided 4 years ago that they wouldn't continue with EV indicators already (Chrome and Firefox Removing EV Certificate Indicators | Decipher).

So even the certificates that did claim something more about the website itself have practically been removed from the web ecosystem. They still exist, but browsers don't mark them as extra secure or something similar as they did in the past.

The people just have to realise the purpose of a TLS certificate (securing the CONNECTION) and that with a TLS certificate you can securely transfer your credit card details to a scammer or transfer your identity information to a phishing website securely. That's all there is to it.

8 Likes

The CA/B forum sets the rules for certificate issuance and use. If you have any issues with how certificates are issued, or would like to see them changed, you should contact them.

Google and Microsoft already provide APIs to flag malicious websites. They operate with a budget measured in billions, and have a broad view of the Internet.

How would Let's Encrypt (or any CA) know any reported sites are malicious? It could be a competitor trying to knock my website offline during a busy time of year. Could I sue the CA for damages?

Maybe my website is legal in one country, but illegal in another? Not every CA is American, and I could just obtain a certificate elsewhere.

The point is, the CA is not the proper layer to address these issues.

7 Likes

That brings up the question(s):
Shouldn't DNS providers stop resolving domains that are fraudulent?
And thus:
Shouldn't hosting companies stop hosting sites that are fraudulent?
Why stop there?:
Shouldn't the entire Internet stop the transmission of fraudulent activity?

[Why focus only on the CA?]

7 Likes

I'll turn the question back at you: why should a certificate authority police the content of sites that use its certificates? Because that's what you're asking them to do.

7 Likes

The CA is one layer in the equation. As it stands my complaint to the registrar resulted in the malicious site being taken down. So that's probably the more appropriate direction to take as they provide an abuse outlet.

My 83 year old mother was a victim. As I tracked down the fraudulent site the first thing I looked at was the certificate. My thought was that a CA shouldn't issue a certificate to a criminals. I still think there should be a way to have it known who these criminals are and have every layer of security involved so the chances of them repeating what they do are minimalized to the nth degree.

A common (though incorrect, IMO) belief. But where does it end?

  • In Germany, last I knew, it was a crime to deny the Holocaust.
  • In North Korea, it's a crime punishable by death to mock the Crazy Fat Man.

Examples could be multiplied, but I think these are enough for now. Should LE refuse to issue a cert to such sites? And how would they know of the content? What if the content changes after the cert is issued?

The fundamental error is in believing that the cert validates something that it does not. The cert verifies that its holder has demonstrated control over the name(s) on the cert--that's it. That's all it has ever meant, and it's all it can ever mean. It has never meant anything with respect to the bona fides of the cert holder.

7 Likes

You should know that Let's Encrypt is a very small nonprofit with around 30 employees. I don't know how you suggest they should be doing that while issuing 3.5 million certificates per day. Let's Encrypt Stats - Let's Encrypt

We understand what you're saying. But blocking issuance to these websites is incredibly expensive, and revoking certs after the fact is not very effective.

5 Likes

I'm not certain, but I think you could even get a certificate using Tor to communicate to the ACME server. Or use a VPN.

When required by the authorities, I believe LE would hand over things like IP addresses used, but chances are this wouldn't help the investigation. Unless the scammers were dumb enough to get a cert using their home connection. (Usually the webserver itself is used and you already know that IP address.)

4 Likes

In fact, Let's Encrypt publishes Legal Transparency Reports saying how often they are legally required to give authorities data. Compared to the number of certificates out there, it's a really small number.

6 Likes

In a "perfect world" all people would be "good". And in the rare case where someone wasn't, any of the "good" would have the power to prevent them from doing anything "bad" [by any means].

In this world, we can't take the power of judge, jury, and executioner into our own hands.
It is NOT within the power of the CA to execute a certificate for the reason you mention.

5 Likes