I read this in the news recently

Let's Encrypt has issued 15,000 SSL certificates to PayPal phishing sites (Security experts call on firm to refuse certificates for domains containing popular brand names)


I'm aware that HTTPS doesn't necessarily indicate a site you can trust, only that the connection is secure. However, does the issuer have a responsibility either legal and/or moral to police how it's certificates are used?

Is it the responsibility of a certificate authority to ensure an SSL is not used for nefarious purposes?

  • 1,394
  • 1
  • 11
  • 17

2 Answers2



A CA has a responsibility to verify that the person requesting a certificate for a domain actually owns the domain in question. It is not up to the CA to perform censorship of domain names, nor to police what people do with a certificate once they have it.

Now, your concern is already kinda addressed by the higher levels of SSL certificates, but it's up to the corporation applying for the cert to spend the extra time and money to get it.

There are effectively two levels of certificates you can buy: Domain Validation (DV) and Extended Validation (EV). DV certs are designed to have automated issuance and are the type of cert that Let's Encrypt issues. EV certs have much higher levels of vetting before issuance, and require phone calls, paperwork, etc.


Issuing criteria

Only CAs who pass an independent qualified audit review may offer EV,[5] and all CAs globally must follow the same detailed issuance requirements which aim to:

  • Establish the legal identity as well as the operational and physical presence of website owner.

  • Establish that the applicant is the domain name owner or has exclusive control over the domain name.

  • Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

Note that for EV certs, the legal entity applying for the cert needs to be a corporation, not an individual, and the corporation name is included in the cert, and appears in the status bar of your browser.

ex: non-EV cert: non-EV certificate in browser

ex: EV cert: EV certificate in browser

Notice how PayPal's legal name appears in the address bar? That is next to impossible to spoof, and we are raising the bar for spammers: the only way to get "PeyPal, inc" there would be to actually incorporate a company, which criminal organizations typically don't want to do. So once users get used to looking for this on big-name websites, this problem will kinda solve itself. Unfortunately, because of the amount of manual verification involved, EV certs are expensive (hundreds of $USD per year), and CAs like Let's Encrypt or godaddy will never offer them.

Generally speaking, a CA is like the passport office or the bureau that issues driver's licences; they have a responsibility to ensure that A) you are who you say you are, and B) that you have met the requirements (ie you are a citizen / you have passed your driving tests). They have no responsibility to track what you are doing with that ID, nor is it legal for them to revoke your passport / driver's licence even if you do use them for illegal purposes.

Addressing comment:

Is there a history of certificate issuers revoking certificates because of nefarious use, even though they don't have a legal responsibility to do so?

No, Definitely not. A CA would get shut down if they did that.

Think about it this way: Certificate Authorities need to be a completely neutral and globally trusted 3rd party. If they have the power to make judgments on what counts as "nefarious" and revoke certificates based on that, then they wouldn't be neutral and globally trusted, now would they?

You might think that the browser could get together and make a strict set of rules for what counts as "nefarious" so that the CAs are then only enforcing the rules. But what would that actually accomplish? Phishers and scammers are very good at slipping through the rules. We would likely spend more time and effort arguing about the rules than the amount of benefit we'd get from it.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Interesting. I'll likely accept in a few. Follow up question. Is there a history of certificate issuers revoking certificates because of nefarious use, even though they don't have a legal responsibility to do so? – Goose Mar 28 '17 at 18:13
  • 1
    Even with EV certificates, all that EV asserts is that the company has an active legal presence in the jurisdiction stated in the certificate, under the name given in the certificate, has control over the domain given and had a representative that'll be responsible for the registration. That's all. There are examples of illegal pirate sites, like YTS.RE, which [obtained EV certificate](https://certsimple.com/blog/are-ev-ssl-certificates-worth-it), because they are a legally registered company in the UK. The CA defended their decision of issuing the certificate. – Lie Ryan Mar 29 '17 at 01:20
  • 1
    If you have any legal or moral issues with a company with EV or OV certificate, you can file a lawsuit against the business in the justification specified in the certificate, to get their business registration removed or to get compensation for your losses. If the business registration is revoked, then the CA can revoke the certificate. It isn't the CA's isn't responsibility or rights to make these judgements. – Lie Ryan Mar 29 '17 at 01:41
  • I don't know for other countries, but US states can and do revoke a driver's license for serious driving crimes (e.g. driving intoxicated multiple times) and sometimes non-driving too; they also can and do suspend a DL for a period like 3 mos or 1 yr for less-serious crimes. And the State Dept. does revoke passports in some cases, including as a recent change delinquent tax over $50k. Of course governments, unlike TLS CAs, are already responsible for defining and punishing much nefarious behavior, and have established systems (mostly police and courts) to do so. @LieRyan: ITYM jurisdiction – dave_thompson_085 Mar 29 '17 at 02:34
  • @dave_thompson_085 I went through the same thought process before posting. I think that's more analogous to `keyCompromise` or `priviledgeWithdrawn`, which _are_ things that a CA can and will revoke a cert for. – Mike Ounsworth Mar 29 '17 at 03:03
  • @dave_thompson_085: yes, jurisdiction, I blame autocorrect. – Lie Ryan Mar 29 '17 at 03:48

does the issuer have a responsibility either legal and/or moral to police how it's certificates are used?

Sort of. While they might not be held responsible for the actual usage of the certificates after they were issued, the issuers have their own policies regarding handling of potential fraudulent certificates.

These policies are legally binding them to an extent, although it might be argued if the purpose of the stipulations is to justify refusal of issuing a certificate (legal issues are out of s scope of Security.SE).

Let's Encrypt policy " Verification against High Risk Certificate Requests" in "ISRG Certification Practice Statement" (v1.4, May 5, 2016) states:

To prevent potential phishing, fraudulent use and to take further precautions against potential compromise, The CA maintains a list of prior high risk requests and checks a third-party authority list specifying current high risk Domain Names. This list is used by servers to identify potential risks. Should an application with any potential risk posed to the CA or a Domain Name listed on the third-party authority list, it will be flagged and brought to the attention of management to complete further internal verification. To prevent high-risk Issuance of a DV-SSL Certificate this internal verification will require one or more the following pieces of evidence:

  • Request further documentation confirming control of the domain from the Applicant;
  • Careful examination of the FQDN to confirm whether the intent of the Domain Registrant or Applicant is to imitate or mislead customers of an FQDN on the high risk third party authority list in order to commit fraudulent or phishing activities (e.g. www.g00gle.com, www.1dentrust.com, etc.) and specific filters that are established at the system level to deny initial applications (e.g., non-US ASCII characters);
  • Manual review of all information provided in the online application form; and/or
  • Other verifiable proof as deemed necessary by the CA management.

Definitely CAs can refuse issuing a certificate - they are still operating as businesses and you cannot coerce a company to provide a certain service to you, because you want so (consumer rights aside).

Revoking is a different problem, though.

  • 9,141
  • 11
  • 44
  • 62