I'm not sure what's the outrage is about here. If they don't say PayPal before the URL, as PayPal's EV certificate does, then why does it matter that Let's Encrypt issued SSL certs to websites that have PayPal in their names?<p>By that logic, I would much sooner be outraged at registrars for allowing those guys to obtain domain names that put the PayPal name in the address bar. But of course even that is a silly argument, as it's not the registrar's job to enforce trademark protection for any company.
The certificates serve their purpose - they encrypt the traffic between the client and the website. I think Let's Encrypt does it's job perfectly.<p>It's not Let's Encrypts job to protect users from fraud.
I think the issue is an issue of education.<p>When I see the 'green' colour followed by the word 'secure' when visiting a website using chrome, I know that this does not mean immediately that I have to trust the site. I presume the vast majority of hacker news readers will know better too. But what about the normal, average users?<p>I think we should just be more proactive in telling people what an SSL certificate <i>actually</i> is, and what https <i>guarantees</i>. Otherwise, we are not really having a discussion.
This isn't new... there has existed DNS only SSL certificate verification for quite a while.<p>Let's Encrypt's only job is to not issue certificates to people who don't own a domain. Not to ensure the content of the domain is legitimate. That's what EV certs are for.
The DNS registrars should be held accountable and informed about the abuse, they are required to act.<p><a href="https://www.icann.org/resources/pages/abuse-2014-01-29-en" rel="nofollow">https://www.icann.org/resources/pages/abuse-2014-01-29-en</a>
Perhaps the use of the word "certificate" is somewhat to blame here?<p>.. in ordinary English, a "certificate" is a proof or guarantee of authenticity.