Will Let's Encrypt uphold their own Terms of Service?

According to Let's Encrypt Terms of Service (https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)

4.3 Suspension and Revocation

You also acknowledge and accept that ISRG may, without advance notice, immediately revoke Your Certificate if ISRG determines, in its sole discretion, that: (vi) Your Certificate is being used, or has been used, to enable any criminal activity (such as phishing attacks, fraud or the distribution of malware);

Through the CT we found a site that was run by scammers to steal money from our customers, so we contacted Let's Encrypt with a request to revoke the certificate. We got a response that was contradicting the Terms of Service as it is published by Let's Encrypt (and, please, mind that Terms of Service is a legally binding document).

OK, we thought that support person was just not trained properly so we searched a bit more and found the following contact information (ISRG CPS v2.5 - Let's Encrypt):

1.5.2 Contact person

The ISRG PMA can be contacted at:

Policy Management Authority
Internet Security Research Group
1 Letterman Drive, Suite D4700
San Francisco, CA 94129

Certificate Problem Reports can be submitted via email to:

cert-prob-reports@letsencrypt.org

Surely, Policy Management Authority is aware of the Terms of Service and will handle the request. Little we know, but the address is bouncing messages (well, it is actually configured as a redirect to a support@isrg.zendesk.com, but it seems that ZenDesk no longer knows about such a customer and any message sent to the officially published contact e-mail are bouncing).

Now, there are two questions I would love to hear the official position on:

  1. What is the correct contact e-mail for the Policy Management Authority (if it is the specified e-mail, when Let's Encrypt is planing to actually fix it?)
  2. Why support staff replies that Let's Encrypt do not revoke certificates which are clearly used for criminal activities when the Terms of Service explicitly says that in such a use is against the terms and the certificate will be revoked?

Emphasis added:

Please see Scammer abusing your SSL Certificate - #2 by _az and The CA's Role in Fighting Phishing and Malware

I'm sure if a US court asks for the revocation, Let's Encrypt will obey. But without an official judgment, it's hard to define "clearly used for criminal activities". Furthermore, the certificate provided by Let's Encrypt only says that you are contacting the owner of the website, nothing more. Asking the registrar or the hosting provider is in my opinion a better legal course of action.

1 Like

Can you share the bounce message you received with headers? I was just able to successfully email cert-prob-reports@letsencrypt.org.

1 Like

I will ask our engineers to provide me with the headers, however, we found a workaround (to send the message dirrectly to ISRG’s zendesk queue) – and we got the same canned response that is in violation of Let’s Encrypt’s own Terms of Service – How come that Let’s Encrypt does not uphold the conditions of the document which is legally binding? Why there is no official response?

4.3 Suspension and Revocation

You also acknowledge and accept that ISRG may, without advance notice, immediately revoke Your Certificate if ISRG determines, in its sole discretion, that: (vi) Your Certificate is being used, or has been used, to enable any criminal activity (such as phishing attacks, fraud or the distribution of malware);

it's wriiten in a way that ISRG reserved right to revoke such cert, but not that they have to.

Yes, I know the legal language tricks and in this case may (a likely action) is used in comparison to might (unlikely action). Nobody should expect to see will (a real commitment to do something) in that sentence.

All in all, I am after an official position from Let’s Encrypt since I was defending Let’s Encrypt at my organisation (I am a strong believer in LE’s mission), but it is hard to defend when our company is suffering from phishing websites and the only CA that does not revoke certificates is LE with the only official stance in Terms of Service contradicting what LE is actually doing.

The blog post from Josh (The CA's Role in Fighting Phishing and Malware - Let's Encrypt) is 4 years old and Terms of Service was updated in Nov 2018, hence it is hard to reconcile one against another. If the position was to do nothing in 2015, then ToS should have been updated to reflect this. Also, the end of the blog says:

We’re going to implement this phishing and malware status check because many people are not comfortable with CAs entirely abandoning anti-phishing and anti-malware efforts just yet, even for DV certificates. We’d like to continue the conversation for a bit longer before we abandon what many people perceive to be an important CA behavior, even though we disagree.

So it is really confusing. On one hand I understand that the real fight with phishing is elsewhere (e.g. promoting EV certificates and making them more accessible, for example, since we, as society, already invested a lot of effort to educate users to trust the "green bar", etc.). Unfortunately, over the years the message was distorted and the majority of users "trust" a valid certificate without realising that a valid DV certificate is just a confirmation that the owner of the domain was able to confirm that they control that domain. So, when a new phishing website pops-up with a look-alike content that steals credentials the majority of non-tech people who land there put theit trust in the padlock they see.

The blog post was updated this year:

(Update: As of January 10, 2019, we no longer check domains against the Safe Browsing API.)

@_az, thanks, I can read – that update does not remove any confusion, it actually introduces more – since the whole section is talking about doing something re: phishing and then there is an update in the middle that says “we stopped doing what we just told you we will” :slight_smile:

This thread, though, is not about that blog post – this thread is about the alignment of ToS as published on LE’s site to the responses from official representatives.

The closest analogy would be a gun manufacturer providing an outlet where you can purchase the produce of that manufacturer. Despite that a gun is just a tool and can be used for either good or bad deeds, the manufacturers do influence how their produce is distributed (e.g. just a quick Google search gave me this - http://www.washingtonpost.com/wp-srv/WPcap/1999-10/22/041r-102299-idx.html?noredirect=on).

Nobody is expecting LE to do proactive anti-phishing checks – this is truly beyond Domain Validation, but responding on companies requests for revoking a certificate when there is proof that the domain in question is malicious and is used for the crime activities – this is expected.

I don't think LE check domain from anything other then tiny list of known "high risk" hosts,
they don't actively check even on Treasury's sanctions list, witch that legally required to not export services.

@orangepizza, you are touching on something that although interesting, but is not in the scope of this topic. The proactive part and regulatory compliance is LE’s business concern (maybe they have internal procedures we are not aware of).

This thread, however, is about rendering a helping hand to legitimate business owners who are suffering from being attacked. Right now, everything points toward LE not giving … about business needs, but

a) if it is so, it should be clearly documented as the official position
b) if it is NOT so, then it also should be documented clearly

The problem is usually hidden in the way how we, tech community, see the world: there is a piece of beautiful technology that allows us to uplift the whole network to encrypted channels – this is great, indeed. However, people often forget that any technology out there, in a virtual world, has ultimate goal to bring some tangible results to human beings in this physical world. What’s the point of having a beautiful mechanism of securing communication between two parties if one of the parties would not use the mechanism since they are suffering and not support from the creators of the mechanism is rendered?

As people here have helpfully explained, there is no violation or inconsistency with of our terms of service in this instance. We simply reserve the right to revoke.

That leaves the question of whether or not we should do something different. We have spent quite a lot of time considering our policies and we’ve explained our thoughts in the blog post that people here have referenced to you. That explanation remains consistent with our terms of service and our policies, even though it was written four years ago. Our staff replied correctly when they responded to your report.

Domain Validation certificates simply do not make assertions about the safety of website contents. That’s just not what they do, it’s not something they have ever done. Certificates exist in order to help set up an encrypted and secure communication channel, which is valuable and a separate issue from content safety status.

If you think a certificate is making an assertion that site content is safe, you’re probably being mislead by the lock icons that browsers display. It’s confusing UI, and hopefully that situation will be improved by the browsers sooner rather than later. I’d much prefer to see no UI when a site uses TLS (as that should be the default situation) and warnings when there is no TLS.

3 Likes

Since the topic of this thread has been definitively addressed and I don’t think further discussion will be productive I’m going to close the thread as resolved. Thanks everyone.