Let’s Encrypt is a non-profit certificate authority that gives out the digital certificates you need to run an HTTPS site for free. The organization’s noble goal is to increase the use of secure web sites and HTTPS.
I support free and easy HTTPS for everyone, and think Let’s Encrypt’s service is a good thing. However, there is a black cloud in their model; free HTTPS certificates makes it easy for cyber criminals to secure their traffic too. Recently, a researcher used Let’s Encrypt’s transparent records to learn that criminals have exploited the service to make tens of thousands of certificates with “PayPal” in the domain. Watch below to learn how this makes phishing easier, and what we can do about it.
Episode Runtime: 3:36
Direct YouTube Link: https://www.youtube.com/watch?v=q-L2qaKwBDU
- Original research blog post about Let’s Encrypt issue certificates with “Paypal” – The SSL Store
- An update with the blog post reporting larger numbers –The SSL Store
- Article about Let’s Encrypt issuing 14000 SSL certs used for phishing – V3.co.uk
Corey Nachreiner, CISSP (@SecAdept)
I agree with you.
We are supposed to control the government…..”for the people, by the people” we are giving them to much
control over use. The consequences to this are enormous..
The idea is great, but the implementation is poor. At the very least they should have a database of trade marked names like PayPal, Google, Microsoft, Watchguard (big Grin) and others to prevent or minimise this kind of problem. It would be easy to make one of the conditions for issuing a free certificate that no trademarked or well-known brand names can be used as part of the certificate’s identity.
However, there is another side to all this. What about a disgruntled person with a genuine grievance who might want to register a site like paypalfeesaretoohigh.com? They might want to securely capture the names of people who agree with the fictional proposition that PayPal fees are too high for the purpose of submitting some kind of partition to PayPal or their Government.
Certificates can already be purchased from most ISP/Host Providers for around A$45, most of that fee is used to verify the purchaser owns the domain and other criteria. Personally, I don’t think that A$45 is a barrier for any criminal wanting to set up their own site. I imagine that A$45 is peanuts compared to the money that is made from scams involving malware-based advertising or fake sites. Similarly, any small business that moans about the price of certificates, also needs to really think properly about their business model. Investing A$45 for a certificate to attract more customers, who now trust your online business, is a smart investment.