I'm not sure what's the outrage is about here. If they don't say PayPal before the URL, as PayPal's EV certificate does, then why does it matter that Let's Encrypt issued SSL certs to websites that have PayPal in their names?
By that logic, I would much sooner be outraged at registrars for allowing those guys to obtain domain names that put the PayPal name in the address bar. But of course even that is a silly argument, as it's not the registrar's job to enforce trademark protection for any company.
You are exactly right, not sure why you get down voted. Let's Encrypt does domain validation. It's perfectly fine that it issues a certificate to paypal.com.phishysite.com to the rightful owner of phishysite.com. It's not their fault that some people do not grasp what that type of certificate (which is nothing new) assures and what not. If you really want blame someone you have to blame browser vendors for not making it clear enough inside their UI.
//edit: Trademark protection gets even easier as CT logs present such potential violations on a silver plate.
When I see the 'green' colour followed by the word 'secure' when visiting a website using chrome, I know that this does not mean immediately that I have to trust the site. I presume the vast majority of hacker news readers will know better too. But what about the normal, average users?
I think we should just be more proactive in telling people what an SSL certificate actually is, and what https guarantees. Otherwise, we are not really having a discussion.
No, it's not about education, it's about a decent UX with some kind of anomaly based warning system and privacy protection. It's really easy to detect a fishing attempt. I've seen this idea proposed by security people in the past. But it might have serious consequences for an advertisement industry, so you won't see this in popular web browsers. You just have to accept that browser vendors don't care about security and you, as a user, is their product.
This isn't new... there has existed DNS only SSL certificate verification for quite a while.
Let's Encrypt's only job is to not issue certificates to people who don't own a domain. Not to ensure the content of the domain is legitimate. That's what EV certs are for.
To be more specific: EV validates that the entity requesting the certificate is who they claim to be, in addition to demonstrating domain ownership. No validation level makes any kind of guarantee regarding the legitimacy or accuracy of content.
The simple 'domain validated' certificates, which are the only ones Let's Encrypt issues, only certify that the domain owner has access to the secret key. It guarantees that the data exchanged is private, not that the domain owner is doing nothing illegal.
Since all new Let's Encrypt certificates get reported to certificate transparency sites, why not set up a bot that searches them for 'paypal' and send alarms to PayPal and the registrar about possible abuse?
By that logic, I would much sooner be outraged at registrars for allowing those guys to obtain domain names that put the PayPal name in the address bar. But of course even that is a silly argument, as it's not the registrar's job to enforce trademark protection for any company.