Certbot from Let’s Encrypt is making it easier to secure criminal websites

This article points out an apparent vulnerability with the Let’s Encrypt certificate authority for requesting free SSL encryption certificates.  The process of securing websites is automated by using their Certbot application that automatically installs certificates and configures web servers when a new site is added.  FOXDEV uses this service.  The asserted vulnerability with LE certificates is the ability to get a certificate for a phishing or scam website.  This isn’t a true vulnerability and LE isn’t giving criminals much more then they had before.

When a criminal orders a free SSL certificate from LE to use for a website, all they’re getting is an encryption certificate from a trusted authority that won’t alert browsers.  It displays a green padlock in the browser, but this is a problem with user behavior, not a problem with the service itself.  The problem can come up if a criminal makes a sub domain like this to use for a scam site: user-authentication.paypal.com.4433.service.example.com or paypal.com.4433.service.example.com.  It appears to be a subdomain of paypal.com.  Sub domains like this have already been in use by criminals to make websites look legitimate by including a real domain within a sub domain.  These domains can be used with unencrypted websites.  Most websites have been unencrypted until recently.  Before LE was available, criminals could still buy a certificate from one of the authorities.  They could even buy a wild card certificate and make an unlimited number of fraudulent sub domains.  The only advantage that criminals have now is the ability to request certificates for free.  Since they could still buy a wild card certificate before, this isn’t much of an advantage.

The solution to this problem is in reeducating user behavior.  Big businesses have bragged on their websites about the security of their websites and directed users to look for the padlock icon to verify that the site they were accessing was real.  Even before LE, any criminal could have bought a certificate for a fraudulent domain and used it to generate the same padlock icon.  We need to educate users that HTTPS only encrypts their access and they still need to verify the last levels of the domain properly.

Start the discussion at forum.r3df0x.com