Let's Encrypt used to "secure" thousands of phishing sites

TLS doesn't secure against web hosting takedown or traffic filtering. Self-signed certificates are literally the same value when it comes down to proving domain legitimacy but browsers treat them with freaking error page.

This

THIS

Who decides what is legitimate?
Also, it (certificates) was expensive, and have no restrictions, you just need to pay.

This
Literally this

/thread

MITMers can self-sign too, so blindly trusting all self-signed certs is worse than even Let's Encrypt.

The normie web is just plain fucked as far as security is concerned

the padlock isn't the problem because the address still appears in the URL highlighted in black (with the rest in grey)
real sites can use extended validation certificates to display the business name as well, which paypal does

none of the certs listed have been valid past late June 2016

Here:
huffingtonpost.com/d-robert-worley/judicial-activism-and-the_b_2412471.html

Cars are actually strictly regulated. And guns are a constitutional right, TLS is not - don't compare both.

>Cars can be used by criminals as getaway vehicles, clearly cars were a bad idea.
>Criminals can use guns for violent crime, clearly guns were a bad idea
>Phones can be used by criminals to communicate, clearly phones were a bad idea
You get my point. Just because something can be used by bad people doesn't mean the thing is automatically bad. If you use common sense and see that you're on zbay rather than ebay, don't login.

No one gives cars or guns or phones away to criminals for free though.

Also, all of those are regulated in any decent country.

blindly trusting self signed certs is dumb because anyone can self sign them.
any of these scammers could have bought a regular domain only validated SSL cert from another provider and the effect would be the same.

>just use common sense, user
>it's your fault if something happens to you
Nice victim blaming, faggot.

>make insecurity the norm because retards are retarded
A+ logic right here

A criminal can get a car easily, lots of used car dealerships out there have zero background checks and accept cash payments and guns are easy to get off the black market or you can make a improvised gun if you know what you're doing.

fpbp

>encryption didn't exist before let's encrypt
You're clinically retarded.

Telling everyone that https means you're safe is becoming a mistake to blindly trust https, you need to now read the full url before trusting a website

It's still better for the data to be transferred over a secure channel than in fucking plain text.

So not for free? I see.

Encryption only guarantees that the connection between you and the server cannot be eavesdropped. Authentication should be done by a different thing.

Let's Encrypt is a good idea. Using https as a way to say if a website is legit is not a good idea at all.

Install Web of Trust or the Netcraft Toolbar.

So you're only problem it's free? You actually think all these sites will magically disappear because oh fuck, they have to pay for it.

I don't see the problem here. So some people used the word "paypal" as subdomain and who cares? The certificate is ok, the subdomain can be whatever they want. fpbp

Wrong. Authentication was part of https' goal right off the bat. The whole point of having a certificate authority is certifying that the certificate owner is who he claims he is. Let's Encrypt is just a bad authority.

You moved the goalposts, faggot. Better luck next time.

I didn't move any goalposts you queer, you just declared it a moved goalposts because you knew you have no argument. You're using the same arguments liberals use to kill the 2nd amendment and they're working so far, I don't want you ruining another good thing because you need a big government cock deep inside your asshole.

This, there's no point in certificates if all you want is scrambling. RSA + DH key exchange could take care of that without the need for certificates at all.

>cut yourself with a razor because youre too stupid to read up on how to use it first
> WAAAH ban razors!

extended validation is a thing, as is checking the url domain.

>WAAAH I opened my secure front door because someone rang the bell and he stabbed me
>it's the door's fault!

no one fucking cares.

then remove letsencrypt from your cert stores you fucking useless crybaby faggot.

oh wait you can't because you're too tech illiterate.

Now you're strawmanning in a desperate attempt to associate me with a disliked group of people.

Keep grasping at straws, everyone's having a good laugh thanks to you.

>free-malwarez-Virusez-and-eXploitation-d0wnL0adZ.ru
>"This is surely a save site to visit. After all it has https, doesn't it..?"

10/10
Here is your internet training certificate sir, enjoy your stay.

You're using the same arguments that the left uses to give up rights for the illusion of freedom. Something is used by bad people, so instead we should demonize and get rid of it, because you can't handle freedom.

If you think im gonna pay some stupid company to give me a measly cert and then also pay up for everything like renewals and revocations, you can forget that. And a lot of other server owners will say the same. So yeah, killing off LE amounts to removing a lot of security because we sure as fuck arent gonna replace it with the inferior alternatives.

>>make an argument
>posts a fucking article with zero context

you're like those holocaust denial fags that link you to 30 minute youtube videos.

HTTPS authenticates that paypal.com is paypal.com and that paypaal.com is paypaal.com. None of the certificates linked to in OP were for paypal.com, www.paypal.com, or any other legitimate paypal subdomain.

If they went to another provider, like Comodo or Godaddy, and typed in to buy a certificate like reallylegitimatenotfakepaypal.com, it would validate domain control (Whois contact info -> email the admin, or maintain a particular DNS TXT record) and issue the certificate after payment.

To resolve this and provide more trust to users, Extended Validation certificates were created that take far more effort to validate, and actually validate the company (business) buying the certificate. This is why when you visit paypal.com, it says "PayPal Inc." next to the padlock.

too bad http and browsers only provide that in the form of... yep, certs

No I'm not, but you're on the verge of tears already so I'll just let you believe whatever you want. I'm not worried because anyone can read the thread and see my original point, which was: no one gives cars or guns away for free, so certificates also shouldn't be given away for free.

WTF is wrong with this faggot trying so hard to politicize this thread? Fuck off!

Also, sorry to break it to you, but the left is right. Reactionary scum, off to the gulag!

>no one gives cars or guns away for free, so certificates also shouldn't be given away for free.
That's the most retarded argument I've ever heard, I'm almost convinced you're trolling now. You're telling me a company shouldn't be allowed to do what they want and it should be regulated like everything else? Do you suck cock this much

>inferior alternatives
Except we've just established that Let's Encrypt is the inferiorest alternative, you fag.

The incremental cost of issuing a certificate is next to nothing, while increasing the amount of encrypted traffic on the web to protect user traffic from ISPs, governments, and other parties snooping on it is of great value to society as a whole and internet privacy.

They totally can do what they want, but they need to suffer the consequences and have their roots certificates removed from every trusted database out there.

You're the one saying we shouldn't be free to refuse to trust someone who can't be trusted. So you're the anti-freedom cocksucker here.

MODS Sup Forums IS LEAKING AGAIN

Alright, you had me there for a while, but Sup Forums is full of unironic communists and state worshipers so you did a great job there.

Sup Forums supports lets encrypt so they can get a cert without having to worry about getting their certs revoked by comodo or whatever because they were found to be too antismentic

>if you don't worship corporations, you worship the state
You may leave now.

It's not even a coproration, it's an organization

>no one gives cars or guns away for fre
not the one you are arguing with but I have to add something to your discussion:
Everyone can make a certificate for their own server without even having a domain. Building a car may be possible but it is way harder. In both situations there is a problem: You can't really build a car alone and be allowed to drive it freely and browsers may show a warning-sign because your certificate is not validated by something they know. In the end it doesn't really matter for the certificates because stupid idiots will click everything they want and make an exception for the certificate in their browsers anyways. Also another thing: If you buy a car from someone that doesn't really check who you are and what you want to do is the same as paying for a certificate with some stupid domain because that doesn't really get checked either. I know this because I own some payed ones. I could still do shit with it and they would never find out because my bankaccount is somewhere-else. They only way to make sure that certificates only get used for good things is to check every buyers identity from time to time and to monitor it.

People who get phished deserve it.

Phisher detected.

All your arguments to remove LE rely on a single foundation: that free https certs make it possible for fake sites to look legit

Maybe you shouldn't all have made the mistake of telling everyone the lie that https == legit website and blindly parroted it forever despite all the warnings about the fallacy in that logic. This logic does not hold up anywhere else either.

You idiots put yourself in the problem you're trying to fix at everyone else's expense, you can get yourself out. Should have rtfm instead of spreading dumb assumptions. Go fuck yourself.

To be fair, https had to be dumbed down that it's automatically safe so normalfags could listen and understand it in the very first place

If the problem is that "people look at the padlock to check if the domain is legitimate", browsers should just look up if the domain is listed in a "legitimate websites" list to put a padlock or not, and leave the https only in the url

The padlock only means "your connections is encrypted" not "nothing bad can happen to you here"

There is a difference between a simple TLS/SSL certificate and an extended validation certificate acknowledging a business entity you bunch of gigantic retards.

>security should only be for those who have the money to spare
security should be standard for all

>learning to check the domain in the url is so much more of a problem than destroying the security of millions of sites, reversing immense progress, and costing all sites a ton of money and saddling them up with the shitty cert companies again
lazy, selfish fuck

>thinking commercial certs offer the security you think, as if they constantly evaluate all their clients
false sense of security and the resulting lazy ignorance based on phallacious logic is worse than legit security that gets abused by a tiny minority of phonies who are easy as fuck to sniff out anyway

did you have to kill a thread for this retarded bullshit?

See

phishing sites had TLS certs before LE anyway. They just had to cough up $20 for them with a stolen credit card. It was an inconvenience to them, at best.

As always the real problem is normies being too trusting, taking shortcuts, and actively refusing to think and be cautious. This is why they get bent over and fucked in all sorts of ways by all sorts of people, online and off.

>having to dumb down a 2-step process
nigga please. just no. we cant keep pandering to the absolute lowest denominator forever

Sup Forums is making stupid arguments on how certificates are equivalent to guns or cars, and even arguing that OP wants much government regulation because he thinks applications (private) should ditch LE.
It doesn't matter if Sup Forums supports the right alternative, they're always stupid.

This thread should end in the first post. It's not LE's fault that the users are so fucking illiterate that believe the padlock means the site is secure. Also based on my experience, the average user doesn't even know what the padlock means and just type their secrets everywhere it requests it.

Left supports an armed proletarian, fucking limp wristed liberal.

Op thinks there is some kind of ethics check when a issuer gives a cert.

They only check one thing: is the money in our pocket?

Actually there is no real difference except one certificate shows more information. That information may be valid if the company that validates it itself is trusted and valid. A selfsigned certificate may hold more information.

No you dense motherfuckers. Https will validate to the server you're trying to connect to. If you're going to Facebook and the https certificate can not be verified, then that means you're not connecting to the server you're trying to connect to and someone is conducting a MITM attack against you.

Whether or not Facebook is a legit website is another kind of verification.

You're mixing up two different meanings of "verification", this is the Twitter "verified account" problem all over again.

Isn't capitalism just great?

>Authentication was part of https'
it never was in the way you mean it.

actually you are connecting a few times before the warning appears on your screen and your browser will offer the option to still accept the certificate and connect to it and showing the site. A selfsigned certificate on some domain doesn't mean there is someone doing a MITM attack.. but for known domains like facebook this could be the case OR fuckerberg just forgot to renew it.

this
just because most of people are retards doesn't mean some of us shouldn't have a easy way to get our websites and other shit running over HTTPS

>good software being used for bad purposes
>OMFG anons are all dumb look at this this is soon bad we must ban this software right now look at what's it's done so wrong omfg.

This is the reason why we can't have nice things people like you who live in their mothers basements like angry gremlins and look for something to get mad about. Why don't you do your parents a favor and go become a functional member of society.

>That information may be valid if the company that validates it itself is trusted and valid.
And that's the whole point of the CA in any PKI. Any rogue CA should lose the trust that it is granted.

But what about good people that become bad after they got their certificate. Does the CA have to monitor their clients 24/7? What if they do not revoke the certificate fast enough? If the CA loses trust, then all of the customer certificates (that means: all customers of the CA) are fucked too just because ONE customer decided to be an asshole.

letsencrypt validity is solid.

wether the domain name is mallicious or not is out of the scope of the project and would require a lot more manpower and funding.

if you're concerned. don't trust letsencrypt certs. but in practice it's perfectly safe.

What's the point of having certificate revocation if you don't use it? Why do we pay CAs money if they don't do anything?

Daily reminder there's a reason why CAcert never got included in any trustbase.

Actually you payed just for your certificate and also these certificates show more than just a green padlock and stuff like "validated by LE". These certificates you payed for show then name of your company and stuff, if you want. Actually that is all you pay for.

>payed

So Let's Encrypt offers certificates so that phishing sites also can set up a HTTPS connection? And the "problem" is that people who visit the phishing site think it's legit because the connection is secured? Am I understanding this correctly?

Anti 2nd amendment fag detected

/thread

I'm not anti-2nd amendment. I just can interpret it correctly like it has always been interpreted before Republican judicial activism. See

>And the "problem" is that people who visit the phishing site think it's legit because the connection is secured
The "problem" is that most of the world is not autistic faggots and if you put green text with the words "SECURE" in front of a URL people will think it is secure

CAs should have a role in not only doing domain validation but enforcing content

So content that is illegal (hosting CP), scamming or hosting fringe political views like white supremacy or antisemitism SHOULD have their certs revoked. Those sites are not 'trusted'.

>What if they do not revoke the certificate fast enough
pathetic fallacy

all CAs as it is now revoke certs upon being reported for use in illicit activities

lets encrypt is run by autistic weeb fags who think the internet is for the 1% of ppl that understand public key cryptography

otherwise, the browsers should not be drawing attention to such sites as 'secure'. Or, some other form of verification beyond DV.

>all CAs as it is now revoke certs
correction
all CAs except lets encrypt **

sorry I fucked it up. paid*

>The "problem" is that most of the world is not autistic faggots and if you put green text with the words "SECURE" in front of a URL people will think it is secure

This. You can blame Google for that.
certsimple.com/blog/browser-security-indicators

>Let's Encrypt was a mistake.

paypal.112.2o7.net/

I haven't found yet how to display info about cert in chrome/ium yet. Any idea?

You were a mistake.

>t. your dad

Are you OK, user?

Yes, son.
But I told you not to come to Sup Forums, didn't I?