Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

BleepingComputer reports: During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word 'PayPal' in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store... Lynch, who points out the abuse of Let's Encrypt's infrastructure, doesn't blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks... Phishers don't target these CAs because they're commercial services, but also because they know these organizations will refuse to issue certificates for certain hot terms, like "PayPal," for example. Back in 2015, Let's Encrypt made it clear in a blog post it doesn't intend to become the Internet's HTTPS watchdog.
Of course, some web browsers don't even check whether a certificate has been revoked. An anonymous reader writes: Browser makers are also to blame, along with "security experts" who tell people HTTPS is "secure," when they should point out HTTPS means "encrypted communication channel," and not necessarily that the destination website is secure.

but you arent a traditional CA

[nimbius]

The fight against phishing and malware content is an important one, but it does not make sense for CAs to be on the front lines

but thats just it. prior to you, people had a barrier to entry. phishing sites needed to pay money to play in the https realm or hire someone smart enough to exploit an https protected site. your service removed both of those barriers and now allows dangerous sites to quickly and easily bypass an entire host of browser security checks designed to prevent people from entering bank card information and personal data into an unprotected site. That "lock" icon in the address bar is generally enough to convince people that what theyre doing with their Visa is sane. now, with letsencrypt, its not so certain.

if you're not going to at least police fraud or abuse, youre opening the service up to become a haven for quick and easy phishing sites. if you ignore this now, you might as well pack up and leave. Chrome and Firefox will not hesitate to lower their trust in your service if it turns into the .info and .biz of the internet.

Re: but you arent a traditional CA

[Zero__Kelvin]

You have a basic lack of understanding of the purpose of certs. They guarantee that if you try to connect to phishme.com that you indeed are connecting to phishme.com and not being MITMed. It is NOT the purpose of a cert to say that phishme.com is or is not a safe place to go. The onus of that remains upon you regardless of if you use HTTP or HTTPS.

Re:Never saw that coming

[AmiMoJo]

Right. The point of these certs is to verify that a secure connection to the site in question has been established and there is no man-in-the-middle or DNS hijack or proxy etc. It is not to verify the identity of the site in question.

Re:Never saw that coming

[msauve]

"there is no man-in-the-middle or DNS hijack or proxy etc. It is not to verify the identity "

If the identity of the endpoint can't be verified, exactly how is it that MITM is prevented? Are MITM sites required to set the Evil Bit?

silent s

[bugs2squash]

I'm sure the "so called" security experts you deride would point out that the S in HTTPS is not simply encryption spelled in a funny way. Security != Encryption and the role of the certificate is Authentication not Encryption. If it doesn't authenticate anything then it is worthless, and the whole bloody point of a public CA IS to be the internet's watchdog or there is no point in trusting them.

Or do they feel that the only role of an adult is to buy liquor for children ?