Let’s Encrypt is a non-profit certificate authority that gives out the digital certificates you need to run an HTTPS site for free. The organization’s noble goal is to increase the use of secure web sites and HTTPS.
I support free and easy HTTPS for everyone, and think Let’s Encrypt’s service is a good thing. However, there is a black cloud in their model; free HTTPS certificates makes it easy for cyber criminals to secure their traffic too. Recently, a researcher used Let’s Encrypt’s transparent records to learn that criminals have exploited the service to make tens of thousands of certificates with “PayPal” in the domain. Watch below to learn how this makes phishing easier, and what we can do about it.
Episode Runtime: 3:36
Direct YouTube Link: https://www.youtube.com/watch?v=q-L2qaKwBDU
- Original research blog post about Let’s Encrypt issue certificates with “Paypal” – The SSL Store
- An update with the blog post reporting larger numbers –The SSL Store
- Article about Let’s Encrypt issuing 14000 SSL certs used for phishing – V3.co.uk