Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com)

Posted by timothy on from the oh-do-let's dept.

itwbennett writes: On Wednesday, Trend Micro wrote that it discovered a cyberattack on Dec. 21 that was designed to install banking malware on computers. The cybercriminals had compromised a legitimate website and set up a subdomain that led to a server under their control, wrote Joseph Chen, a fraud researcher with Trend. The subdomain used an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate issued by Let's Encrypt, the first large-scale project to issue free digital certificates. which is run by the ISRG (Internet Security Research Group) and is backed by Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai, among others. The incident has sparked disagreement over how to deal with such abuse, writes Jeremy Kirk.

5 of 123 comments (clear)

  1. Why the emphasis on Lets Encrypt? by Richard_at_work · · Score: 5, Insightful

    This style of attack would have been able to get an SSL cert from most cheap cert providers, as most of the cheap ones only require you to dump a particular file in the right place on the website for verification, so why the emphasis on "Lets Encrypt"? Because they are "cheaper than cheap"?

    1. Re:Why the emphasis on Lets Encrypt? by QuietLagoon · · Score: 5, Informative
      The emphasis on Let's Encrypt is misplaced.

      .
      Unlike most other CA's, Let's Encrypt has a very short lifetime on their certs (60 days, I believe) so that an abused cert quickly falls out of the eco-system. I've read that Let's Encrypt eventually wants to shorten that lifetime even more, to 30 days.

      Most other CAs have cert lifetimes of a year (or longer). Then the question surfaces - how useful is cert revocation? Do all TLS clients check for cert revocation?

    2. Re:Why the emphasis on Lets Encrypt? by Medievalist · · Score: 5, Informative

      Most other CAs have cert lifetimes of a year (or longer). Then the question surfaces - how useful is cert revocation? Do all TLS clients check for cert revocation?

      Most SSL/TLS clients do not check for a relevant CRL. The few that do (such as Firefox and other web browsers) typically require configuration and won't check for revocation by default out of the box.

      In contrast, nearly all SSL/TLS clients that I am aware of (certain MTAs being an exception) will refuse to use an expired certificate unless specifically instructed to do so by the end user. So expiration is more likely to have an effect than revocation.

  2. Great Response by Anonymous Coward · · Score: 5, Informative

    This article looks like a really good response to the issue: https://unmitigatedrisk.com/?p=552

  3. Applies to All Non-EV Certificates by EndlessNameless · · Score: 5, Informative

    If they were able to create a subdomain, that means the attackers controlled all traffic to that subdomain.

    Since most certificate authorities only verify via email to the domain for which the certificate is requested, the attackers would have gotten a certificate from virtually any CA.

    There are additional verification steps required for EV certificates that should thwart this sort of attack, but singling out Let's Encrypt for issuing a certificate in this case is disingenuous.

    The real problem lies with the DNS registrar that accepted an unauthorized subdomain registration request. (Or maybe the client's account was compromised, in which case the victim is to blame.)

    Either way, the submission titles makes it seem this is a problem with Let's Encrypt when it most certainly is not.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.