• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Phishing with Let’s Encrypt – Daily Security Byte

March 28, 2017 By Corey Nachreiner

Let’s Encrypt is a non-profit certificate authority that gives out the digital certificates you need to run an HTTPS site for free. The organization’s noble goal is to increase the use of secure web sites and HTTPS.

I support free and easy HTTPS for everyone, and think Let’s Encrypt’s service is a good thing. However, there is a black cloud in their model; free HTTPS certificates makes it easy for cyber criminals to secure their traffic too. Recently, a researcher used Let’s Encrypt’s transparent records to learn that criminals have exploited the service to make tens of thousands of certificates with “PayPal” in the domain. Watch below to learn how this makes phishing easier, and what we can do about it.

Episode Runtime: 3:36

Direct YouTube Link: https://www.youtube.com/watch?v=q-L2qaKwBDU

EPISODE REFERENCES:

  • Original research blog post about Let’s Encrypt issue certificates with “Paypal” – The SSL Store
  • An update with the blog post reporting larger numbers –The SSL Store
  • Article about Let’s Encrypt issuing 14000 SSL certs used for phishing – V3.co.uk

Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Infosec news

Comments

  1. Alan says

    March 28, 2017 at 11:13 am

    I agree with you.

    We are supposed to control the government…..”for the people, by the people” we are giving them to much
    control over use. The consequences to this are enormous..

    Reply
  2. adrian says

    March 31, 2017 at 12:32 am

    The idea is great, but the implementation is poor. At the very least they should have a database of trade marked names like PayPal, Google, Microsoft, Watchguard (big Grin) and others to prevent or minimise this kind of problem. It would be easy to make one of the conditions for issuing a free certificate that no trademarked or well-known brand names can be used as part of the certificate’s identity.

    However, there is another side to all this. What about a disgruntled person with a genuine grievance who might want to register a site like paypalfeesaretoohigh.com? They might want to securely capture the names of people who agree with the fictional proposition that PayPal fees are too high for the purpose of submitting some kind of partition to PayPal or their Government.

    Certificates can already be purchased from most ISP/Host Providers for around A$45, most of that fee is used to verify the purchaser owns the domain and other criteria. Personally, I don’t think that A$45 is a barrier for any criminal wanting to set up their own site. I imagine that A$45 is peanuts compared to the money that is made from scams involving malware-based advertising or fake sites. Similarly, any small business that moans about the price of certificates, also needs to really think properly about their business model. Investing A$45 for a certificate to attract more customers, who now trust your online business, is a smart investment.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • An Update on Section 230

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use