Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Source?

I remember reports in the past decrying CAs for issuing certificates for phishing sites in the style of "gooogle.com" etc.



Some in the industry, including some CAs (Certificate Authorities), believe that issuing certificates to "malicious" websites should be against the rules of the CA/B Forum, the industry body that sets guidelines for CA behavior.

You are right that some news articles and reports continue to chastise CAs who issue to sites in the style of "gooogle.com". Do not let them trick you - that is only their opinion on the matter. It is NOT against the industry rules to issue those certificates.[1]

What IS against the rules is to issue a certificate for "domain.com" to someone who has not proven ownership of "domain.com". That is the BIG no-no that leads to consequences such as being un-trusted. There are standardized methods for meeting the burden of proof, and every CA uses more or less the same mechanisms to do so.

Let's Encrypt, or any CA, may issue a certificate to "paaypal.com". Even if that site was a Paypal phishing site, a CA is under no obligation to revoke the certificate or prevent that user from getting another certificate.

Some CAs CHOOSE to do this. To some extent, I think it is sensible to try to thwart malicious use. However, the case is often made that CAs and SSL certificates are not meant to "police content", and furthermore, that they are not very effective at doing so.

Flagging a malicious site through a tool like Google's SafeBrowsing is significantly more effective than revoking their SSL certificate.

[1] Except for a more recent stipulation that Microsoft added to their root program. If they request the revocation of a certificate they believe is malicious, the CA is expected to comply. If they dont, they are only at risk of being punished by Microsoft.


That's properly understood as a variant of getting a certificate of a domain you don't own, for practical purposes. And the point there is still that the "bad guys" shouldn't be able to get a cert that appears to identify them as Google, not that the bad guys can't get a cert. It's two different things. It is not a bug for Let's Encrypt to hand out certs to "bad" people.


That's fair and makes sense. Still, do you have a source for that type of CA policy? With all due respect, I can't tell if this is just your opinion or a codified threat model.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: