I worked for a brand that was heavily impacted by phishing sites that used LE certs. It was annoying, but honestly I wasn’t sure what LE couple do about it. If you deny creating a cert with Gmail in the domain, people will just use something like gmall instead.
Many fishing attacks could be thwarted if there was a more manual process for certificate issuance, CAs were obligated to KYC and verify/monitor applicants stringently and lost their license for malpractice, etc. Web would be a safer place, but the cost is higher barriers for entry, and attackers would just focus on stealing the actual certs.
Some would say being able to communicate privately/securely is irrelevant to whether you should trust whoever you’re communicating with, but then someone could argue that in practice the two get conflated all the time and the aura of the channel colours the counterparty.
I notice that there are two most common categories of non-techie users: those for whom being able to visit a website without loud warnings is enough to auto-trust it, and those who by default distrust anything that has to do with anything on the Web (and the latter are unfortunately correct). You can’t expect people to perform sophisticated threat detection at all times and feel good about their life at the same time.
