Why does let's encrypt issue SSL certificates to fraudulent sites

While everybody has explained quite well what a X.509 certificate is supposed to certificate — not what some users believe it should certificate, there is another issue to take into account: how is a Certificate Authority able to know in advance what companies are fraudulent, and what are not?

Since in the democratic world, which adheres to the United Nations Declaration of Humar Rights, people are innocent until proven guilty by a court of law, certificate authorities — no matter what the size — are not supposed to be able to condemn potential criminals before they're judged as such. In other words, even the most malicious, criminal, evil organisation in the world is "allowed" to have their own website and certify its ownership, until they're convicted by a crime and ordered to shut down their website.

While this ethical issue is very, very hard to discuss (and agree!) with, because there are so many "grey areas" — thus requiring a legal framework to establish guidelines and laws — in general we can assume that certificate authorities act a bit like telephone companies and the post office: they deliver an universal service — meaning: to anybody who is a customer — no matter how "criminal" the conversation/message/packet is. A typical example: Mafia Dons have cellular phone numbers to talk to their minions, and they're allowed to do phone calls, and whatever provider they pick is required to carry their phone calls — even if they're planning murders, extorsion, prostitution, drug deals, and so on. It's not the job of the phone company to say: "you're all members of the Mob, so I won't provide you any service because you're criminals". That's up to the courts to decide (and with a successful condemnation, they may prevent mobsters to have phone numbers, and the phone companies will be notified to cancel those — if that's part of the court's sentence, of course). Similarly, you can send pharmaceutical drugs through the post service to different countries, and they will deliver your packet — it will be up to the authorities on the receiving side to check if the drugs there can be sold or not, and if not (as it happens across the EU, for example), the packet is withheld by the authorities. But it's not the post carriers that will do that. They will deliver anything — even bits of human flesh from a murder — without questioning, and will not be held responsible for doing so. On the other hand, they're bound to comply with local authorities and laws, as well as judicial decisions, to aid the police in their investigations, and to comply with whatever sentences have been applied to a convicted criminal.

While it's dubious on how far this analogy can be stretched, currently, to my knowledge, there is no law regulating certificate authorities in any way. There is body of entities validating the legitimacy of certificate authorities — essentially, the main browser manufacturers, who need to decide which CAs to trust, and which to avoid — but this body acts on its own interests and is not legally bound to any government or international regulation board.

Now, this is the factual issue: CAs are not responsible for whatever crimes are being committed by the websites that get their certificates.

Nevertheless, then we have other issues to deal with. First and foremost, CAs have a marketing department (well, not Let's Encrypt) which tells their potential customers some half-truths, namely, that "you need a certificate to get secure connections to your webserver; and, conversely, your own customers need to be able to use secure connections to find you trustworthy". Even Google (which is their own CA), with the decision of ranking https websites higher (and essentially discarding others), is sort of implying that if you have secure communications, you earn a higher degree of "trust" from Google. And, last but not least, the specialised media will have journalists and opinion makers wildly proclaiming the advantages of using a certificate to "make your website more secure and trustworthy to your customers" (possibly even pointing to Google's decision as a valid argument!).

All this together will put a certain degree on pressure on everybody to get a certificate for their website(s), because the mainstream mindset has been led to believe that encrypted communications to a website are more secure (they are) and only work with legitimate, bona fide sites (they don't), so, in a way, having a certificate means that the company or organisation is being "certified" to be trustworthy... right?

Well, no, but the subtlety of the difference — certifying the connection, not the legitimacy of the company behind the webserver! — is played down by marketing (and the media) to the point that mainstream users cannot really understand that difference at all.

And that is where we can actually make a difference: by educating the mainstream public about what a certificate means. But that needs to be done at a large enough scale to have any effect; and it has to be delievered with a very simple message which anyone can understand. Browser manufacturers may aid in that regard, by explaining what is happening with the connection, for instance. They can also install tools and services to validate the legitimacy of the websites themselves (using many third-party tools to the effect — some browsers have them built-in, others use plugins to achieve the same goal), and correctly explain that one thing is not connected to the other.

And, of course, it would also help if local governments would educate their own citizens about CAs and their certificates, but I'm aware that this is wishful thinking...

Thank you for that explanation.

It doesn't seem there's much the CA can do that would cover all situations. Afterall, a legit website can change to an illegitimate web site and you'd never find out about it.

I guess I look at it from the perspective that they are "using" your platform to give the appearance of legitimacy. Kind of like a fraudulent roofing company might have a nice looking truck, business cards, and insurance papers.

Luckily I've had success getting two of these sites shut down by complaining to the registrars. So, that will be my approach. I'll be looking out for these thieves to fire up another site under a different name.

And to be clear, we totally get where you're coming from, and that it's frustrating. The anonymity of the Internet allows for a lot of good and also a lot of harm.

Exactly. And asking the CA to do something about a fraudulent site is like going to the business card printing company and saying that they shouldn't have sold business cards to them. I mean, maybe the world would be a better place if they magically knew that and didn't end up doing so, but how exactly are they supposed to know ahead of time and why are they the ones you'd complain to rather than the police, building inspectors, and courts?

Good! Keep up the good work! And remember that reporting to the Google Safe Browsing and Microsoft Security sites and the like can help block things from the browsers' end of things too.

This is the problem with "... a fraudulent site that has a similar URL..." People quickly assume the site is what they want without looking. The purpose of DV certificate is NOT to provide this distinction. Please read up on the differences between the 3 types of certificates that can be obtained and what each provides (and at what expense of time & effort).

https://www.digicert.com/difference-between-dv-ov-and-ev-ssl-certificates

The issue you've brought up has been posted many times here before and explained quite well both in this topic and many others. A DV cert only provides encryption between the site and the user, it does not inform the user if the site owner is honest or a thief. It is up to the user to use some due diligence.

So sorry to hear that. If the fraudulent site is in the USA, you can report it to the FBI's IC3 at

It the site is in another country, one can reach out to the particular police agency or government.

I'm happy for you that the sites got shut down. But the thieves will most likely simply start a new site and repeat what they've done.

Coincidentally, this is also a huge advantage for using a password manager in your web browser. It won't offer to populate credentials for sites that don't actually match what you've previously saved no matter how close they might look to each other.

I'm sorry, I'm about to cut ISRG root X1 from my root CAs; you have become the CA of choice of scammers. Removing the trust should cause all my browsers to bring up the "danger lies here" warnings and then I will only go anywhere near a phishing site with one of your certificates by hitting agree-and-proceed. I will also do this for the rest of my household, who don't even know what a CA is.

Removing the trust is the right thing to do: how can I trust any certificate you issue? At the very least it will let me know when I'm going near any of your issued certs and that the trust model should be one of "no MITM except by malicious entities with other CAs". Slightly better than nothing, I suppose.

So you'll only get scammers who pay for certificates.

Ok.

Throwing the baby out with the bath water? Do you realize that scam sites with connections secured using LE certificates represent only a small fraction of sites with connections secured using LE certificates? What I also hear you saying is that "I won't visit the sites of small businesses, charities, government projects, and a large number of other benign or benevolent causes". The price tag of "free" doesn't mean that only malevolent entities utilize LE certificates. Besides that, as many in this thread have pointed out in other ways, if you're trusting the content of a site based upon the privacy of the connection to it, I'm assuming that you evaluate the roadworthiness of a vehicle based upon the manufacturer of the locks on the doors? How about cans of soup? The soup must be good if the manufacturer of the lid on the can charges a fortune, right?

well, i've already noticed what's gone (cmu). Now I'm trying to work out how to get rid of the self signed stuff while trusting the ones I need to

if you're trusting the content of a site based upon the privacy of the connection to it, I'm assuming that you evaluate the roadworthiness of a vehicle based upon the manufacturer of the locks on the doors? 

Didn't a buy a tesla, if that's what you mean.

getting rid of ISRG root x1 does have fairly widespread consequences, as I can now see. I'm going to have to work out how to mark stuff as danger without breaking automated builds through code repos.

I don't know, maybe by recognizing what a cert does and does not mean? You don't have to look very far; it's discussed at length, with references, in this very topic.

A DV cert--which is by far the most common type of TLS cert that's issued these days, whether from Let's Encrypt or anyone else--validates only that its holder demonstrated control over the domain name in question at the time the cert was issued. That's all it has ever meant. That's all it can ever mean. And if you understand that, your issue about "trusting" LE's certs goes away. Because a TLS cert has never meant, and can never mean, that its holder is a good guy.

You would be a whole lot better off if you just stopped clicking on phishing links instead.

You should probably also work to retrain anyone in your orbit who has been infected with the farcical notion that the presence of valid TLS certificate means anything more than an encrypted connection is in use.

Uhm... Do you know how hsts works?

I’d like to remind everyone in this thread to be kind. We’re on the same team, trying to solve the same problems, just with different viewpoints. I personally think this is a matter on which reasonable people can disagree.

Let’s Encrypt’s policy here is clear, and this thread has covered all angles of the debate, so I’m closing it to further replies.