I've been seeing a strange surge of new posts on the @letsencrypt forums complaining about certs being issued for malicious sites. Here's some perspective on it. It’s inappropriate for any CA to be the police of the Internet. The job of a (WebPKI) CA is only to verify technical control over the relevant DNS zone. It makes no assertions about the owner or entity behind the site, the nature of the content, or the behavior of the site. > "I'm old enough to remember when CAs did some diligence and the browsers believed when a CA declared a site belonged to a certain entity. Wasn't perfect but it would've stopped <scam site>. LE is enabling them to do their scam. Without LE, or rather, browser's trust in LE, you practically couldn't get to the scam site." This is false. Author is old enough to remember the very first SSL certs issued, and then the more widespread EV certs later on. EV certs tried to offer extra security, but failed: cyberscoop.com/easy-fake-ext… Without LE, or browser's trust in LE, the scammer will just find another domain or another CA in a matter of minutes. LE does not enable scammers any more than seatbelts enable dangerous drivers. If a site is conducting illegal activities such as fraud (note that this is different from simply being the victim of a software vulnerability), it should be reported to law enforcement agencies, the web host, the CDN (if any), and possibly the domain registrar. No, because permanently blocklisting a domain does more harm than good. If a site is merely the victim of a software vulnerability and only hosted malware for a brief time, refusing to encrypt connections to it puts the entire public at greater risk for legitimate activities, some of which may be safety-critical, thus doing more harm than good. If the CA permanently blocks the domain, then there's residual harm for future domain owners who may be running perfectly legitimate operations on the site, or have trademark rights to the domain to at least redirect it to their site. Certificates are like seatbelts. Everyone should have access to them, even if they should be in jail. Let's Encrypt is not a business, and is definitely not in the business of policing scammers (except for one very specific kind of scam, which is impersonating a Web property using its exact same domain), so... Let the CAs do their job. Contact web hosts and law enforcement when there is illegal activity, or SafeBrowsing-esque lists when there is malware.