jomo is a user on mstdn.io. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
jomo @jomo
Follow

So someone on Mozilla's dev-security-policy mailing list said "I doubt Let's Encrypt would issue for paypal.any_valid_tld".

I saw that the paypal.cologne domain was available for 13€, purchased it, instantly got a certificate and now paypal.cologne is a thing.

· Web · 11 · 10

@jomo I guess it summarizes Mozilla's security policy quite well.

@Sir_Boops Oh, that just happened. I may or may not have registered it using a bogus address.

* Domain was just taken down by the registrar because I registered it using a bogus address ¯\_(ツ)_/¯

However, the issued certificate can be seen here: crt.sh/?id=393717424

@jomo your domain will be yanked soon as soon as PayPal notices due to wipo

@gme Does the UDRP process apply when the domain name is not used in bad faith?

@gme @jomo You can add 46.101.236.125 paypal.cologne to your /etc/hosts and the certificate should still be valid.

@jomo @gme its just a cool place for pals to pay each other cologne, where's the bad faith?

You can use my address if you want to bring the site back up

@alfred @gme Thanks. Account is already closed and the domain purged. Already served its purpose, too.

Probably going to use an existing address from fakenamegenerator.com next time instead of random bullshit.

@jomo I don’t think the problem is let’s encrypt there, as you’re not supposed to register domains that are reserved by a trademark. (at least for some TLDs I know that it’s the case).

@lanodan exactly. I did this to proof them wrong.

@lanodan @jomo Let's Encrypt's blacklist started off with Alexa top 1000. That included too many "non-dangerous" domains but didn't include some "dangerous" ones outside the top 1000. They then handpicked domains out of the top 1000 and wildcarded the TLD for some international domains. That caused issues, especially with two and three letter domains that weren't owned by the banks they were blacklisted for. Now they include TLDs registered by the same corp, which is the best method IMO.

@jomo good reminder that LE is only a DV provider. They don't do EV, in which case you couldn't get a EV validated cert issued to "Paypal Inc." or similar