Security Letsencrypt 14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites

Jimmy · Mar 25, 2017

14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites

Lynch's analysis comes to confirm some of the fears voiced as early as 2015, around Let's Encrypt's early launch phase.

Encryption and infosec experts warned that by providing free SSL certificates; phishers, tech support scammers, and other malware authors would flock to obtain free certificates and move their operations on HTTPS domains.

The first of these security incidents was a malvertising campaign that used Let's Encrypt certs, unearthed by Trend Micro in January 2016. Since then, there have been isolated cases, here and there, but nothing to hint at a mass abuse. Nevertheless, security researchers started spotting more and more of Let's Encrypt's certificates on malicious sites.
Click to expand...

RB1 · Mar 25, 2017

An SSL certificate and lock icon in the URL bar only means that the page is being served over SSL and is encrypted, right?

It doesn't in any way mean that you are safe to enter credit card information or personal details; I think this isn't a huge issue with LetsEncrypt, more of a fundamental flaw with how people perceive HTTPS being safe by blindly trusting it.

pamamolf · Mar 25, 2017

Https means that the communication is encrypted (secure) between you and the server and a third person can't intercept it and stole login info using attacks like MITM

eva2000 · Mar 25, 2017

Nevertheless, security researchers started spotting more and more of Let's Encrypt's certificates on malicious sites.
Click to expand...

Lynch, who points out the abuse of Let's Encrypt's infrastructure, doesn't blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks. This number is far smaller compared to misused Let's Encrypt certs.

Phishers don't target these CAs because they're commercial services, but also because they know these organizations will refuse to issue certificates for certain hot terms, like "PayPal," for example.

These CAs, even if not obligated by any standard or procedure, know that issuing these certificates will put users at risk.
Click to expand...

yeah pretty much expected when something is offered for free and is of use to someone !

I've seen as Centmin Mod LEMP stack becomes more popular, I've seen more Adult/Porn related sites start using Centmin Mod LEMP stack to power their sites Whether that is a good or bad thing, I don't really know yet Though there is a worry that Centmin Mod LEMP stack powers not so legal sites. But is it something I'd have control over for offering a free product anyone can download/install ?

Jimmy · Mar 26, 2017

Yea, you're not going to be able to control who uses Centmin Mod. I wouldn't be too worried about that. It would be like Linus starting to get worried about who uses Linux. If people who run not so legal sites couldn't use Centmin Mod, they'd just use something else.

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Security Letsencrypt 14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites

Jimmy Well-Known Member

RB1 Active Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Security Letsencrypt 14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites

Jimmy Well-Known Member

RB1 Active Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

Jimmy Well-Known Member

.