It's frustrating because certificate revocation doesn't even really work, since most browsers don't check for it due to the various performance/privacy issues it causes. (OCSP stapling doesn't help here, because a scammer just won't use it.)
At best Let's Encrypt could revoke the cert and block them from getting a new one, but then the scam site is still good to go for 90 days. I doubt most phishing sites even last that long.
What does work, and relatively quickly, is having the web host shut down the site (basically instant), having the registrar revoke the domain (takes effect as soon as DNS caches start expiring) or adding it to the various phishing site lists used by browsers. (Not sure how often those update, I assume at least daily.)
I hope that the misguided people asking LE to shut down the domain are at least trying to contact the web host, registrar, and the safe browsing list people before hassling the (mostly volunteer) folks on the LE forums.
At best Let's Encrypt could revoke the cert and block them from getting a new one, but then the scam site is still good to go for 90 days. I doubt most phishing sites even last that long.
What does work, and relatively quickly, is having the web host shut down the site (basically instant), having the registrar revoke the domain (takes effect as soon as DNS caches start expiring) or adding it to the various phishing site lists used by browsers. (Not sure how often those update, I assume at least daily.)
I hope that the misguided people asking LE to shut down the domain are at least trying to contact the web host, registrar, and the safe browsing list people before hassling the (mostly volunteer) folks on the LE forums.