
When the 'S' in HTTPS also stands for shady - necessity
https://www.engadget.com/2017/03/31/when-the-s-in-https-also-stands-for-shady/
======
okket
Let's Encrypt does what is its purpose. Issue certificates for domain owner by
verifying that they have access to that domain. It is not the purpose of the
CA to check the content of the domain for illegal content. If anyone should be
held accountable then it is the registrar, see

[https://www.icann.org/resources/pages/abuse-2014-01-29-en](https://www.icann.org/resources/pages/abuse-2014-01-29-en)

That said there are some ways to mitigate this problem:

a) The domain owner can publish a 'CAA' record(s) in their DNS zone, which
list Certificate Authorities that should be allowed to issue certificates. If
Let's Encrypt sees this and it is not in the list, they will not issue an
certificate.

b) Certificate Transparency: Let's Encrypt and other CAs inform neutral CT
server about newly issued certificates. An organisation that is often targeted
by abuse (e.g. PayPal) can monitor these and react appropriately if they
detect malicious behaviour.

