|
|
|
|
|
|
by joshmoz
3819 days ago
|
|
|
Head of Let's Encrypt here. We were aware of the "google.com.mg" cert soon after it was issued. We didn't revoke the cert for the same reason we don't revoke most certs: as far as we can tell, the cert was issued to the entity properly controlling "google.com.mg". Whether or not that is Google (the company) is not really within our purview. That said, in this case, as a courtesy, we did notify Google employees and made the decision to report the site to Google Safe Browsing. GSB and SmartScreen are the right places to deal with things like this. IIRC GSB did block the site for a while, but that block seems to be gone now. |
|
|
Hi Josh. This is mentioned in the third paragraph of the article, but it looks like HN didn't read that far, so probably worth mentioning it again.
I didn't mention LE specifically out of respect for the work you guys are doing, but since you've posted here: why wasn't this flagged as a High Risk Certificate Request before issuing per Baseline Requirements 4.2.1?
Also where is the High Risk Certificate Request check available in the LE source?
Thanks!