Make security technology simpler to use and always someone will use it for criminal purposes.

The backers of the Let Us Encrypt job needed to allow it to be more easy for web site owners to get and install certificates to encrypt HTTP traffic. The job began issuing certifications that were free as portion of a public beta plan in December.

It turned out the malvertisers had created subdomains under valid domain names and pointed them under their management to servers. Traffic was shielded with HTTPS using the Encrypt certifications unique to the subdomains of Let’s, Chen wrote. In this instance, the DV certifications from Let Us Encrypt helped the subdomains, for example ads.companyname.com, as well as the offenders behind them, “gain legitimacy together with the people.”

Let us Encrypt mechanically issues domain name-validated (DV) certifications to sites by checking the URL’s phishing status against the Google Safe Browsing API. Let Us Encrypt will not track the certifications or take any actions later after issued. Let Us Encrypt WOn’t revoke certifications if the domain name is after flagged by Google as malicious.

ISRG is the group managing the Encrypt job of the Let’s.

Let us Encrypt WOn’t be revoking those securities issued to the subdomains used in the malvertising strikes, “but it appears that the websites in question have been taken down,” Aas said.