Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

BleepingComputer reports: During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word 'PayPal' in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store... Lynch, who points out the abuse of Let's Encrypt's infrastructure, doesn't blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks... Phishers don't target these CAs because they're commercial services, but also because they know these organizations will refuse to issue certificates for certain hot terms, like "PayPal," for example. Back in 2015, Let's Encrypt made it clear in a blog post it doesn't intend to become the Internet's HTTPS watchdog.
Of course, some web browsers don't even check whether a certificate has been revoked. An anonymous reader writes: Browser makers are also to blame, along with "security experts" who tell people HTTPS is "secure," when they should point out HTTPS means "encrypted communication channel," and not necessarily that the destination website is secure.

also..

they are changing the name to "Let's Phish"

but you arent a traditional CA

[nimbius]

The fight against phishing and malware content is an important one, but it does not make sense for CAs to be on the front lines

but thats just it. prior to you, people had a barrier to entry. phishing sites needed to pay money to play in the https realm or hire someone smart enough to exploit an https protected site. your service removed both of those barriers and now allows dangerous sites to quickly and easily bypass an entire host of browser security checks designed to prevent people from entering bank card information and personal data into an unprotected site. That "lock" icon in the address bar is generally enough to convince people that what theyre doing with their Visa is sane. now, with letsencrypt, its not so certain.

if you're not going to at least police fraud or abuse, youre opening the service up to become a haven for quick and easy phishing sites. if you ignore this now, you might as well pack up and leave. Chrome and Firefox will not hesitate to lower their trust in your service if it turns into the .info and .biz of the internet.

Re: but you arent a traditional CA

[Zero__Kelvin]

You have a basic lack of understanding of the purpose of certs. They guarantee that if you try to connect to phishme.com that you indeed are connecting to phishme.com and not being MITMed. It is NOT the purpose of a cert to say that phishme.com is or is not a safe place to go. The onus of that remains upon you regardless of if you use HTTP or HTTPS.

Re:but you arent a traditional CA

Actually, letsencrypt is fine.

The idea of PAYING anyone to verify is bunk.

The system should merely identify that the channel is in fact encrypted, there should not be any 'trust' etc stuff attached to it.

Currently this has created companies which profit from these certs, and browser makers I'm guessing are getting a kick back for it as well identifying an encrypted channel as either 'good' encrypted or 'bad' encrypted.

An encrypted channel is a fact and all encrypted channels should simply state that encryption is being used and that should be the end of it.

If they want some sort of corporate interference and verification that shouldn't be anything to do with a browser or the web it should be a 3rd party company people pay in some way along with some sort of plug in from said company.

Anyone should be able for free to generate a cert and encrypt their personal website and the browser shouldn't run double checks against who has paid and who has not paid because that is violating the whole idea of the web (free/open). Browser vendors appear to have been high jacked by SSL certificate issuers when in truth anyone should be able to generate and apply encryption to their website for free without interference from anyone else.

At the moment though if you self generate your encryption the browser checks to see if it's linked to a corporation and says that it is 'insecure' if it is not registered which is bunk. The channel is just as encrypted and just as secure whether you pay or not, payment is simply creating security theater and putting a tax on anyone who just wants to enable HTTPS on their website.

Re:but you arent a traditional CA

Nope, not going to happen.

The entire reason this is happening is because the browser vendors got a stick up their ass and required HTTP/2 connections to be run over TLS. So Let's Encrypt fills in the same space for HTTPS as Cloudflare does for CDN. They are not there to police their customers, and will ignore lots of shit until someone actually takes them to court.

The solution has always been there. The self-signed certificate should never have been "this might be a dangerous site" warning. That is what the self-signed certificate was for. Let's encrypt ends up moving the goal posts from unencrypted, to self-signed, to lets-encrypt (but not verify identity), all the while improving nothing. An unencypted connection is fast, cacheable, and secure enough when you're just transfering photos and cat videos. For the "HTTPS-everywhere" has basically made website operators costs double if they want to jump on that bandwagon because the bandwidth costs explode when they can no longer be cached.

Re: but you arent a traditional CA

So should verisign (Symantec) given the recent news of their issuances for sites not owned by the requesting party.

Re: but you arent a traditional CA

[supertall]

It is however the duty of the CA to verify identity and ownership of the domain before issuing the cert. That what makes them an authority.

Re:but you arent a traditional CA

[hawkinspeter]

You are entirely misunderstanding how SSL certificates work. LetsEncrypt allows the owner/administrator of domains to get and use a free SSL certificate and there is nothing to suggest that they are giving out certificates to non-owners of the relevant domains. The fact that you confuse paypal.com with playpal.com is not a problem with SSL encryption.

Re:but you arent a traditional CA

[Gravis+Zero]

That "lock" icon in the address bar is generally enough to convince people that what theyre doing with their Visa is sane. now, with letsencrypt, its not so certain.

I do not disagree with anything you wrote but this conflates the idea of a secure connection to a website as being a legitimate website. This has never been true.

if you're not going to at least police fraud or abuse, youre opening the service up to become a haven for quick and easy phishing sites. if you ignore this now, you might as well pack up and leave. Chrome and Firefox will not hesitate to lower their trust in your service

Sadly, this is true and I think some basic safeguard requirements need to be put in place to prevent new registrants/hidden registrants from abusing the service.

if it turns into the .info and .biz of the internet.

Sir, how you denigrate my superbe site, InternetIsSrs.Biz!

Re:but you arent a traditional CA

[thegarbz]

allows dangerous sites to quickly and easily bypass an entire host of browser security checks designed to prevent people from entering bank card information and personal data into an unprotected site. That "lock" icon in the address bar is generally enough to convince people that what theyre doing with their Visa is sane. now, with letsencrypt, its not so certain.

Except that's not what it does at all. A lock does not imply a chain of trust. The actual name in the actual site is what implies a chain of trust and you don't get that name from Let's Encrypt or any of the several free services which provided certificates in the past. If I go to my own personal website my browser says "Secure". If I go to PayPal my browser says "PayPal, Inc [US]." No checks have been bypassed.

Also quite frankly, GOOD. I still greatly prefer only one phisher getting my credit card information than it being broad cast unencrypted to absolutely everyone.

Re:but you arent a traditional CA

[dgatwood]

... phishing sites needed to pay money to play in the https realm or hire someone smart enough to exploit an https protected site.

Nope. StartSSL had been issuing free low-validation certs since at least 2009, some six years before Let's Encrypt issued its first cert. The only substantive differences between Let's Encrypt and StartSSL, as far as I can tell, are:

• Let's Encrypt didn't get bought out by a Chinese registrar who abused their signing certs in ways that caused them to become untrusted by most browser vendors.
• Let's Encrypt forces you to use automated certificate updating by limiting the certificate duration to a ridiculously short period for no actual security benefit (and worse, in its default configuration, generates a new RSA key every time it renews the cert, which significantly weakens the security model by making key pinning impossible).
• Let's Encrypt merely requires you to prove that you have control over the web server, rather than that you have control over the domain, which also weakens security somewhat if your server gets compromised.

But in terms of being able to get free certs for a domain that you control, there's no real difference.

Re: but you arent a traditional CA

Not for these certificates, actually. These are DV certificates; the only validation done is "does the customer control that domain". They don't do any meaningful address checking.

It's not new. Guess what -- if you want to offer that level of verification, they have a much more expensive product for that. (EV)

Re:but you arent a traditional CA

[mjr167]

I run a website for a small non-profit with 0 operating budget. How would we be able to afford certs? I already eat the hosting costs.

Re:but you arent a traditional CA

[l0n3s0m3phr34k]

The few times I've used Let's Encrypt was during testing phases, as a place-holder until I had the time to get a "real" cert. My company has an inane procedure to get purchase orders to pay for anything, so often it takes a couple of weeks to get to the point of being able to purchase anything via a "new vendor". If you can't afford $5 or so to get a year-long cert, then your either not serious about your site or doing something wrong.

The most complicated process of getting a cert was for a "private domain", as very few places even offer them. I needed one for our "internal" domain controller to securely work with Mimecast, and since the domain ended in ".tul" it took quite some time for verification. We had to submit our Dun and Bradstreet number, verify various items, and other hoops to get a valid cert...and it costs almost $400 per year. What was really fun was trying to explain that Microsoft's "advise" used to be "don't use a real domain for your AD" until just a few years ago to upper management.

Re: but you arent a traditional CA

[DarkOx]

Correct certs are about AUTHENTICATION, Its to make sure that when you put your CC info in you really are sending it to paypal.com and not someone else. However, if letsencrypt lets me register päypal.com and you can't easily see something is different, that certificate isn't helping you to authenticate any more, its essentially a really good fake id! I am going to confuse that with the real paypal.

Its not a question of determining if phishme.com is safe or not its a question of knowing who you are talking to and that can be hard. Its why in the real world a photo id is often required. Are you THAT Bill Gates or just a Bill Gates, which is where letsencrypt is making things harder for everyone. It used to be that a sorta responsible CA would not issue a cert of what is obviously an attempt to conflate you site with a well known brand.

Re:but you arent a traditional CA

[DarkOx]

Which is why I am advising all my corporate clients that do SSL intercept to either block site that have used and LE cert, or present the invalid/self signed warning to their users. These things are not better than self singed.

Re: but you arent a traditional CA

[VikingNation]

Digital certificates are also used for authentication and identification of a participant in the communication.

Re: but you arent a traditional CA

[VikingNation]

I thought that web browsers checked the chain of then certificate back to the issuing root? Would a break in a chain result in a broken "lock" in the browser?

Re: but you arent a traditional CA

[thegarbz]

And the person who owns www.phishme.com will actually own the domain www.phishme.com which is the domain that will show up on the certificate he is asking to be issued. The authority chain here is entirely preserved.

Re: but you arent a traditional CA

[thegarbz]

I am going to confuse that with the real paypal.

Except that's not the difference you get in a browser. If you connect to a site with a domain validation certificate like the one Lets Encrypt issues then all the browser will say is "Secure"

If you're wanting to guarantee that you're actually connecting to PayPal then that's a completely different certificate with a completely different process for a completely different purpose, and shock horror it is handled differently by the browser and displayed differently to the end user. Instead of "secure" the browser bar will say "PayPal Ltd. [US]"

Re: but you arent a traditional CA

[thegarbz]

Domain certificates do not identify or authenticate anything more than the server claiming to be the domain, and Lets Encrypt does a good job of proving that, probably more so than most other CAs.

If you want extended validation (The one that makes your browser say "PayPal Ltd. [US]" in the title bar rather than simple displaying a little green lock, then that's a different process and a different certificate, one which Let's Encrypt does not issue.

Re:but you arent a traditional CA

[thegarbz]

Why? Demonstrate where the trust chain is broken?

Lets Encrypt issues DV certificates only, and that chain of trust is 100% preserved, much more so than the process with many other CAs.

Re:but you arent a traditional CA

[Just+Some+Guy]

The entire reason this is happening is because the browser vendors got a stick up their ass and required HTTP/2 connections to be run over TLS.

And by that, you mean the browser vendors realized that "unsafe by default" is a shitty choice for a widely used Internet standard.

For the "HTTPS-everywhere" has basically made website operators costs double if they want to jump on that bandwagon because the bandwidth costs explode when they can no longer be cached.

Totally worth the tradeoff for making strong encryption the expected default.

Re:but you arent a traditional CA

[thegarbz]

These things are not better than self singed

And they are not trying to be. Why would you block a CA issuing only DV certificates when their process 100% confirms that the requestor of the DV certificate is the server owner?

Do you not trust your communication to Slashdot to be secure?

Re:but you arent a traditional CA

[Just+Some+Guy]

Which is why I am advising all my corporate clients that do SSL intercept to...

...stop that insecure crap immediately, because you take security seriously and don't want to weaken their defenses. Right?

Re: but you arent a traditional CA

[bill_mcgonigle]

Typosquatting has been a problem for twenty years and DV certs fo at least half that time. Why would this suddenly be Let's Encrypt's problem? $4.95 has never stopped phishing attacks before.

Any typosquatting solution is going to be entirely locale dependent - the only place to handle that is at the browser. Give Google and MoFo hell about never caring about this. For all I know the Khazak word for "hot pizza" looks like "citibank" but it's definitely not a job for Let's Encrypt to deny that pizza place a cert. If we insist they do, they will either fail to succeed or give up and go home. Cui bono?

Re:but you arent a traditional CA

[marka63]

You mean to say I can't name a site for finding pals to play with "playpal.com"? It's not LetsEncrypt job to find out what the use of a site is for.

Re:but you arent a traditional CA

[marka63]

You can get the equivalent of key pinning using DNSSEC and TLSA.

Now if browsers vendors supported TLSA it would improve security because rogue CA's can't issue a cert for the name that will be accepted.

Re: but you arent a traditional CA

[thegarbz]

Sorry wrong "chain of trust". You're talking about a chain of trust back to the CA. I.e. website claims that they are a specific server, they claim another authority validated that, and the other authority is a root authority trusted by the browser and they can show that through the certificate chain. That is the chain of trust that will break the lock and bring up warnings if it is not setup correctly.

The "chain of trust" (I shouldn't have used that phrase) I was talking about is that you're talking to a server which claims to be responding for a domain, which claims to be part of an organisation, which has been shown to be a legally registered business in some country of the world. This is achieved through EV certificates, something that Lets Encrypt does not provide, and something that companies like PayPal use to prevent phishing.

Re:but you arent a traditional CA

[dgatwood]

The few times I've used Let's Encrypt was during testing phases, as a place-holder until I had the time to get a "real" cert. My company has an inane procedure to get purchase orders to pay for anything, so often it takes a couple of weeks to get to the point of being able to purchase anything via a "new vendor". If you can't afford $5 or so to get a year-long cert, then your either not serious about your site or doing something wrong.

Or you have more than the one subdomain that most CAs allow for $5 certs. Even with a limit of five for Let's Encrypt, it takes two certs for my main domain. Bare domain, www, images, git, homeserver, kinji, and I feek like I'm still forgetting one. A wildcard domain cert starts at two hundred bucks.

Re: but you arent a traditional CA

[mhkohne]

You have a basic lack of understanding of the purpose of certs. They guarantee that if you try to connect to phishme.com that you indeed are connecting to phishme.com and not being MITMed. It is NOT the purpose of a cert to say that phishme.com is or is not a safe place to go. The onus of that remains upon you regardless of if you use HTTP or HTTPS.

Yea, but have you noticed that the general public has no idea how much of anything actually works, or frankly what most things are actually for? Most people have no real idea what that little lock icon means, so (assuming that someone managed to train them to look for such things at all), they think the lock icon means they are good to go. The slightly more subtle message of 'yea, this website IS who it says it is, but that doesn't mean it's not a criminal' is lost on these people.

So yea, it's a problem, but at this point it's fairly obvious that trying to train the users to pay attention to the things the browser tells them, and teaching them what those things really mean IS NOT WORKING.

I can't fault Let's Encrypt for not wanting to try to police everything, but if they could do a few keyword matches and pay attention to the really blatant stuff, it would probably help.

Re:but you arent a traditional CA

[DavidRawling]

I believe the current "head-up-ass" view of this is that you should just throw another few bucks to a CA every year, or get off the web. Maybe just give all your content to Farcebook, Gargle, Nanosoft etc, because why should us peons be allowed to put things on the web without what amounts to the modern version of royal assent? (It's usually couched in terms like "Well, how do you know your content wasn't altered by the time it got to the client" and "Your ISP is secretly recording everywhere you go and everything you do"). These concerns are not incorrect, but they can be ... overemphasized.

To be fair, there are cheap places to buy certificates - I was looking recently and found I could get one for about $30 for a normal site. But wildcards etc are still hundreds if you need more than one domain. Killing a free CA (who is delivering exactly what they say they will) isn't going to help.

Re:but you arent a traditional CA

[DavidRawling]

A wildcard domain cert starts at two hundred bucks.

Woe betide you if you host webmail and the like for friends etc, and you need multi-wildcard certs (last I checked, $2K a year for me vs $0 from LE).

Re: but you arent a traditional CA

[Bert64]

Which they do...
The scammers genuinely do own and/or control these domains. It's down to the users to notice that these domains are different from the genuine paypal domain.

Re: but you arent a traditional CA

[Bert64]

If you can't tell the difference between paypal.com and päypal.com then perhaps you should be booking yourself in for an eye test... The cert is doing its job, it's your fault if you can't read properly.

And it was always easy to get an SSL cert, you just had to control the domain in question and be willing to pay for the cert, the process has been entirely automated with most registrars for years. Scammers would frequently buy certs using stolen cards too.

Re:but you arent a traditional CA

[hawkinspeter]

You're suggesting that as well as verifying the identity of a domain owner, that the CA must identify any similarity to already existing domains and not allow any that are arbitrarily too similar. That's just retarded.

Re: but you arent a traditional CA

[Actually,+I+do+RTFA]

It is NOT the purpose of a cert to say that phishme.com is or is not a safe place to go. The onus of that remains upon you

I get that, but browser makers use iconography that suggests that it is a safe place to go. It's not the average user's fault that the giant green lock makes them think "safe" not "no MITM attack".

Re:Never saw that coming

[AmiMoJo]

Right. The point of these certs is to verify that a secure connection to the site in question has been established and there is no man-in-the-middle or DNS hijack or proxy etc. It is not to verify the identity of the site in question.

Re: blacklist them

[Zero__Kelvin]

We get it. You have no idea what certs are for. No need to keep making the point.

Re:Phishing is good

[Artem+S.+Tashkinov]

How on Earth would a non IT person "verify the legitimacy of emails and websites?"

Let's say, you entered paypal in Google and miraculously the second link leads to paypall.com (such a SEO "optimization" is entirely possible if your have enough resources) which is the exact same copy of paypal.com, which siphons your log in credentials. How would you know paypall.com is not PayPal? Extended validation is still better than nothing.

HTTPS was a badly realized afterthought and it bites people all the time. I wonder if this problem can be solved at all. There are way too many things you have to blindly trust when you're using the Internet: several layers of routing, DNS, SSL, etc. etc. etc. 99% of people in the world have no idea how this all works and how you can be sure you're safe. Then even your OS is not exactly without bugs and security vulnerabilities which allow the attacker to hijack your connection. Then you have various three/four letter agencies around the world who have ways of getting into your computer systems without you knowing.

"Verify", my arse.

Foundamental flaw of the CA infrastructure

[Cigaes]

This story shows the fundamental flaw of the TLS CA infrastructure: it only certifies that the connection is established with the reported DNS domain name. That is not utterly useless, but not far from it.

The protection against man-in-the-middle attack is relevant only in a handful of cases. With home Internet access, MitM can more or less only be performed by network operators, who have a lot to lose if they are caught playing these games. It is more of an issue with public access, but still rather minor.

What would be really useful would be CA that certify the honesty of the sites. “If you see our green padlock, that means this site is reliable. If they scam you, we will refund you.”

I will not hold my breath.

Re:Foundamental flaw of the CA infrastructure

[MobyDisk]

With home Internet access, MitM can more or less only be performed by network operators,

How so? This is exactly what HTTPS prevents.

Re:Foundamental flaw of the CA infrastructure

[Nkwe]

The protection against man-in-the-middle attack is relevant only in a handful of cases. With home Internet access, MitM can more or less only be performed by network operators, who have a lot to lose if they are caught playing these games. It is more of an issue with public access, but still rather minor.

There is no difference between protection from man in the middle attacks for home users and users using public access. The user (or software / browser on the user's computer) is either validating certificates or they are not. Validation includes checking cryptographic signatures, checking revocation lists, and checking that the subject matches the requested resource (web site). It is true that checking signatures requires keeping tabs on what certificate authorities are trusted, which is a difficult problem, but this challenge isn't any different for home or mobile users. The whole point of Public Key Infrastructure is to prevent man in the middle attacks (provide secure communications.)

I would argue that MitM is relevant in all cases, especially when you consider that beyond your (or the coffee shop's) ISP, you have to worry about spyware on your machine doing it. You may have even have agreed to it by installing something like comScore or any anti-virus product that "protects encrypted sessions". In the workplace you can have similar issues, many companies have egress filtering firewalls which perform MitM attacks on outbound encrypted traffic (otherwise they would not be able to monitor the traffic). In the work place though, the company owns the machine and can add the firewall's on the fly generated certificates to your trusted CA list.

Man in the middle attacks are possible and relevant pretty much everywhere.

Re:Foundamental flaw of the CA infrastructure

[thegarbz]

With home Internet access, MitM can more or less only be performed by network operators

Oh wow are you wrong about that. There are a myriad of ways you can MitM a connection other than passive listening. The most popular way is through malware that routes your connection via some third party. Having home internet doesn't make you secure against MitM attacks in the slightest.

Re:Foundamental flaw of the CA infrastructure

[Cigaes]

Answering to this and the others:

If you install malware on the target's computer, that is not a man-in-the-middle, and certificate will be of little protection anyway.

Re:Foundamental flaw of the CA infrastructure

[Fnord666]

The protection against man-in-the-middle attack is relevant only in a handful of cases. With home Internet access, MitM can more or less only be performed by network operators, who have a lot to lose if they are caught playing these games. It is more of an issue with public access, but still rather minor.

You don't really know how SSL/TLS works do you?

Re:Foundamental flaw of the CA infrastructure

[taustin]

You are entirely correct. It was the same when I was running a web store in the 90s. It took me all of 30 seconds to figure out that the only thing a Certificate Authority is certifying is that your credit card didn't bounce, and the only thing they're an authority on is processing credit cards.

Re:Foundamental flaw of the CA infrastructure

[thegarbz]

What would be really useful would be CA that certify the honesty of the sites. “If you see our green padlock, that means this site is reliable. If they scam you, we will refund you.”

They already work the way you think. You just don't understand the difference between the green padlock and the green text that comes up with an OV or EV certificate.

The certificates issued to www.paypal.com will show a green padlock along with the very obvious text "PayPal Ltd [US]" next to it. The certificates issued to www.playpal.com will only show that little padlock indicating the channel is encrypted.

Re:Foundamental flaw of the CA infrastructure

[Cigaes]

They cannot work the way I evoke when the CA is chosen by the server and not the client.

Re:Foundamental flaw of the CA infrastructure

[dgatwood]

More generally stated, if you can't trust the endpoint, you can't trust the communication, period. No protection scheme can protect against a compromised endpoint.

Re:Foundamental flaw of the CA infrastructure

[thegarbz]

The CA IS chosen by the client. It is your prerogative who you trust to be a CA. The browsers only come with a list of defaults. Those list of defaults are based on what the browser vendors think is sane based on the performance of the authority. And quite frankly an authority that actually physically checks that a user is able to run a script that modifies a directory on a server within a domain in question is pretty damn authoritative on defining that a server belongs to a domain that it claims (the scope of a DV certificate).

Re:Foundamental flaw of the CA infrastructure

[Cigaes]

The CA IS chosen by the client.

No, the CA is chosen by the server. The only choice for the client is to either trust or not trust. They cannot decide to use another CA with more guarantees.

defining that a server belongs to a domain that it claims

Which is all but useless, and exactly the source of the present thread.

Re:Foundamental flaw of the CA infrastructure

[thegarbz]

Which is all but useless

Not trusting the endpoint is a different problem to not trusting all parties in between. There's a very big advantage in knowing that when I type a password intended for one specific website that it actually is going to that specific website, and not say the proxy server, or that guy in sitting next to me at Starbucks.

Re:Foundamental flaw of the CA infrastructure

[Cigaes]

the proxy server, or that guy in sitting next to me at Starbucks.

Which is exactly what I said in my first message: for public access like Starbucks, it makes a little sense. For home access, where the only people in between are network operators, the likelihood of a MitM is tiny.

Re:Never saw that coming

[msauve]

"there is no man-in-the-middle or DNS hijack or proxy etc. It is not to verify the identity "

If the identity of the endpoint can't be verified, exactly how is it that MITM is prevented? Are MITM sites required to set the Evil Bit?

silent s

[bugs2squash]

I'm sure the "so called" security experts you deride would point out that the S in HTTPS is not simply encryption spelled in a funny way. Security != Encryption and the role of the certificate is Authentication not Encryption. If it doesn't authenticate anything then it is worthless, and the whole bloody point of a public CA IS to be the internet's watchdog or there is no point in trusting them.

Or do they feel that the only role of an adult is to buy liquor for children ?

Re: silent s

[Zero__Kelvin]

The rule of my ID is to prove I really am me. It was issued by the government. It does exactly that. It DOESN'T vouch for me as a human being. The save here. The cert vouches that I am dealing with phishme.paypall.com ... it doesn't say that said site is run by a stand up guy you should trust. Never has ... Never will ... Was never SUPPOSED to. HTH!

Re:silent s

[hawkinspeter]

But the certificate does authenticate that the domain in your browser URL bar is owned/controlled by the owner of the certificate. The fact that you are going to a different domain than the one that you expected is nothing to do with HTTPS. The whole point of a CA is to provide a certificate to legitimate owners of the domains. The point of a CA is NOT to determine that such-and-such domain is mistaken with another domain because the user is stupid.

Re:silent s

[hcs_$reboot]

Secure means Encrypted. If you need authentication, use the much more expensive EV certicates, to get a nice browser green bar that includes the name of the company.

Re:silent s

[thegarbz]

If it doesn't authenticate anything then it is worthless

Oh but it does. A DV certificate authenticates that a computer responding on behalf of a domain is who it claims to be. Let's Encrypt is perfectly fine for that and does not issue any certificate with information that isn't completely authenticated. This is why they don't issue OV or EV certificates.

The S doesn't indicate anything to do with security and encryption. It indicates a different protocol to standard HTTP is being used. The various results of different certificates are shown differently by browsers. e.g. DV certificate gives you a little green padlock, and an OV certificate gives you your fully qualified organisational name in the title.

You not understanding the difference doesn't make a CA any less trustworthy, and Lets Encrypt demonstrates 100% authenticity of the certificates they issue within the scope of what that certificate is intended to do: Prevent MitM attacks by authenticating the end point as the correct *server*.

Re:Never saw that coming

[AmiMoJo]

Sorry, that wasn't very clear. It is to identify that the server is the server it claims to be, but does nothing to verify the identity of the person running the server.

For example, Let's Encrypt will check that the person getting the certificate really does control www.paypall-secure-login.com, but not that they are actually PayPal Inc. The point is to allow a visitor to establish a secure connection with the server, not to check that the web page served up is not misleading.

Re:Never saw that coming

[hawkinspeter]

The identity of the endpoint is shown in the browser URL. To prevent a MITM attack, I recommend using NoScript, so you can enable javascript on paypal.com, and your browser will then not run javascript on phisingpaypal.com without the user enabling it.

Re:Phishing is good

[hawkinspeter]

NoScript. You enable javascript for paypal.com and then anytime you visit paypall.com, your browser sits there not running any javascript.

Re:Phishing is good

[tomhath]

You have so much knowledge and such good people skills, I suggest you help senior citizens become more net savvy by volunteering some of your time in a nursing home or local senior citizen's center. Hopefully you can educate people like my mother, who just shook her head and said "I don't understand the instructions, it's all in geek".

Revocation checks are problematic

some web browsers don't even check whether a certificate has been revoked.

This is a sloppy and invalid slur, hiding behind vagueness (it's a bogus criticism of Chrome). Revocation is useless when you fully work the threat model, and similar designs to address the uselessness are probably not workable. Remember, unless a scheme can handle revoking ~every certificate at once, it's inadequate recovery for Heartbleed. It's also a privacy problem because it lets CAs build a log of all web traffic.

The best incremental refinement is short-lived certificates auto-issued by intermediate CAs. CRLSet can revoke intermediate CAs. For normal certs, don't reissue and let them expire. That's basically what lets encrypt is, except "short-lived" is not short enough, like a day or two, yet. Also, as they point out, "weakest link": it's not a real answer unless every CA does it because an undeserving attacker could get someone to sign a long-lived cert for your domain even if you use short-lived ones. But this is the bog-obvious PKI refinement that's currently fashionable. The two-tier system keeps the CRL small, and the certs subject to "confirmation" (by not appearing in the latest short-lived CRL) can be backed by HSM that can't sign things quickly but is very unlikely to sign things wrongly.

The refinement being pushed instead of the obvious one is "OSCP stapling" and perhaps "must-staple", because this preserves the CA cartel. Without some long-lived rare magical token to give you, it's difficult to convince you that you owe them lots of money, so we still give you the token as a pacifier but then implement the above sane scheme in rube goldberg fashion, moving what should be the cert into the stapled confirmation.

However I think the correct response is not the obvious refinement. It's a major rethinking of the architecture, like Sovereign Keys. In this scheme, you must give up privacy to some central server because you must do lookups on a structure too big to store locally, but you can choose to whom you give it up because the structure is a blockchain that anyone can sync. Actually it might be small enough to store on a single computer so no big deal, but even if it weren't it's still less bad than OSCP privacy because of the option of picking a mirror you "trust".

Using PayPal in the domain name

[hcs_$reboot]

And? You may also get a wildcard certificate from whoever (even net sol) for *.mydom.com then create a host 'paypal.mydom.com' in DNS having paypal in the name, and covered by the certificate. If this article tries to discredit Let's Encrypt because they're free, paypal in the name is not the right argument.

Seems familiar

[ugen]

Something about road to hell being paved with good intentions.

The issue is not SSL, certs or lack thereof. The issue is the fact that among human population there exist several fairly consistent groups. One of these groups is "low information people" (not to call them "stupid"). Another group is "dishonest people". Yet another is "well intentioned people" who want to protect the former from the latter. But, as the "wily" are, by definition, loath to play by the rules and, in general, fairly smart - they will surely find ways to exploit whatever well intentioned thing to take advantage of the "low informed".

There isn't really any solution here.

Re:Seems familiar

[fnj]

"low information people" (not to call them "stupid")

"Low-information" is a silly PC circumlocation. There are perfectly appropriate terms such as "ignorant" and "naive" to use to describe people who don't know stuff.

Re:Seems familiar

[ebvwfbw]

No solution? How about have someone eyeball the request. Do some checking. I thought that was the whole point of having an SSL certificate. I remember in the old days (20 years ago), Verisign just about made you sign in blood that you were in charge of the domain you were asking for a certificate for. One year only. Some years later we got Thawte, and such that were about as valuable as a sheet of toilet paper. Yet some legitimate people used them.

Doesn't have to be much. It would be nice to knock a lot of them down.

Re:Phishing is good

[dgatwood]

Or AutoFill. You enable AutoFill for PayPal.com, and then when your password doesn't automatically show up, you look at the URL more carefully and immediately see why.

The real threats to security are not the CAs that issue certs for sites containing PayPal in the name. The real threats are clueless sysadmins at (mostly banking) websites that insist on not allowing AutoFill and/or break their websites in ways that make AutoFill stop working when it worked before. Besides playing right into the hands of keyloggers, such actions force people to remain willing to type passwords when in reality, users should never, ever, ever type a password into a website. Ever. Seriously.

... that and browser makers, who haven't bothered to come up with a global standard for changing passwords so that users whose computers become compromised can easily reset all their passwords automatically with a single click, and also haven't bothered to come up with completely automatic plug-in update systems, thus making it easy to trick people into believing that their Flash Player or Silverlight plug-in is out of date, thus causing them to download and run a trojan horse installer that steals their password database, etc.

More tips for browser makers

[sootman]

(... because I'm sure they read /. and value my opinion... )

1. NEVER hide ANY part of the URL. If the URL extends beyond the size of the location box, give a nice big '...' for people to click on to see it.

2. ALWAYS show a status bar that ALWAYS shows what URL I'll go to if I click a link. NEVER allow ANYTHING to change this behavior.

3. NEVER hide the protocol.

4. Don't allow 'data' URIs in the URL bar by default. https://www.wordfence.com/blog... (This also relates to #1)

5. Don't make SUCH a big damn deal about 'https' -- big green text, giant padlock icons, etc. I've been telling people for YEARS that an HTTPS connection to bankofamurica.ru is worth NOTHING.

This won't solve everything, but the least that browser makers can do is give people the tools they need to help them make good decisions. Long story short, QUIT HIDING SHIT!

6. Bonus: enough with all these new shit TLDs. Is a world where http://blog.google/ exists (note: it does) REALLY a better place than one where it doesn't? Or is it just more confusing?

Re:More tips for browser makers

[Sebby]

2. ALWAYS show a status bar that ALWAYS shows what URL I'll go to if I click a link. NEVER allow ANYTHING to change this behavior.

Also, don't allow changing what is shown in that status bar, like custom text instead of that link.

Re:More tips for browser makers

[thegarbz]

1. Agree
2. Irrelevant. Sources from phishing attacks do not originate from within the browser. Most often they do from some external source (email being the most popular).
3. Irrelevant. No one cares about the protocol and the general public doesn't understand it so it does nothing to aid security. Even on browsers that hide the protocol people interested in it can identify it from the rest of the information in the URL bar (the colour / padlock icon).
4. Agree
5. They don't. There's a difference in the display when I go to Slashdot.org (a standard SSL certificate) vs when I go to Paypal.com (an extended validation certificate)
6. Agree

Re:More tips for browser makers

[twistedcubic]

1. NEVER hide ANY part of the URL. If the URL extends beyond the size of the location box, give a nice big '...' for people to click on to see it.

Given the example domains are of the form paypal.com.abc.xyz.tld (example: paypal.com.resolution-ticket.tk) maybe the tld should always be visible.

Re:More tips for browser makers

[Sigma+7]

Two fixes. The bulky method shows if there's any onclick or onleavepage events going to fire when you click said link. The other method involves a few click to ban certain sites from running javascript.

Re:More tips for browser makers

[houghi]

Concerning number 6. I know it is hindsight, but having com, net and org was a bad idea. It would have been better to just stick to countries and then let each country decide how to deal with it.

So .us as default would have been better. If they would have gone with .com.us or not would have been up to them.

"But what about things like Debian that uses .org now and is international?" I say: what about them? They have an address somewhere and that is, I think, the us. That would have mean debian.us. If they would have wanted to be active in every domain, they would have had to register that everywhere. If not, they could have gone for debian.us as default.

The few really international organisations are already covered with .int and no, debian would not be able to get that, nor anybody else. .com is not all commercial. .net is not all network related and .org are not all (non-profit, see .com) organisations anyway.

Now we have part of it that is location based and part of it that is sort of what they are based, but not really, but some are, but not all and there are exceptions ....

Oh well, we are in this mess and it will not get better.

Clarify "certificate identity"

[MobyDisk]

Something doesn't add-up:

During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word "PayPal" in the domain name or the certificate identity.

(Emphasis mine).
But according to Let's Encrypt, their certificates don't say anything about identity:

Let’s Encrypt is going to be issuing Domain Validation (DV) certificates. On a technical level, a DV certificate asserts that a public key belongs to a domain – it says nothing else about a site’s content or who runs it. DV certificates do not include any information about a website’s reputation, real-world identity, or safety.

Can someone explain what the author meant by the term "certificate identity" in a Domain Validation certificate? It almost seems like the author of the article is conflating the concepts of DV certificates and EV certificates into one. Or am I wrong, and DV certs do indeed have an identity?

In researching this a bit, the CA security council as well as some certificate authorities are pushing browser manufacturers to treat DV certificates differently from EV certificates, where the site owner's identity is verified. This would make sense. There's some politics going on here at Mozilla: according to Wikipedia, Firefox used to treat DV certificates subtly differently from EV certificates, but they changed that once they launched Let's Encrypt.

Re:Clarify "certificate identity"

[MobyDisk]

Awesome to get a reply from the article author. Thanks!

Re:Clarify "certificate identity"

[MobyDisk]

I just looked at Slashdot's certificate, and indeed it is a Let's Encrypt cert. It says:

Issued To:
Common Name (CN): slashdot.org
Organization (O): <Not Part Of Certificate>
Organizational Unit (OU): <Not Part Of Certificate>

Re:Phishing is good

[Tukz]

A person who knows to install a NoScript plugin, also knows not to blindly use google search as an address bar.

Re:Phishing is good

[Artem+S.+Tashkinov]

Normal people have no idea what https://paypal.com/ is. For them https://paypal.co/ looks perfectly fine (PayPal might have bought all second level domains but I highly doubt that). Normal people have no idea what "com" means, what domains levels are, what's the meaning of dot in the domain name. What's the meaning of HTTP or HTTPS whereas the former is now hidden by all major web browsers. I'm an IT pro and I've no idea why there are these three letters "://" after the protocol name. Why not "::" or "->" or any other arbitrary combination?

Normal people may want to visit paypal for the first time ever which means no AutoFill data or any indication they've arrived at the website they can really trust.

Idiots who say you should trust a website based on its name think too much of people. The Internet was designed for geeks and remains so, no matter what geeks say. And it wasn't designed with security/privacy/encryption/simplicity in mind - to the contrary, the first major protocols had nothing to do with encryption or remote party identification.

Here's an example from real life: my ISP transparently replaces IP records for DNS queries for forbidden websites (it's a usual practice even in the USA) - how on Earth you could trust a domain name, when your ISP can reroute your traffic at will? And no! I'm not using my ISP's DNS resolver - I have a recursive DNS server on my PC - which means they transparently replace my UDP traffic. The only way to be sure that my connection attempt is not spoofed is what? VPN? No, you cannot trust it either. DNSSEC hasn't really taken off and then you cannot really trust CAs nowadays.

Sorry, I've never seen so many idiots at /. simultaneously.

How is this an abuse of Let's Encrypt?

[RobertJ1729]

How is this an abuse of Let's Encrypt? Would you prefer that victims give their private information to phishing sites over plaintext? Seatbelts can be worn by bank robbery getaway drivers. Does that mean that seatbelts are a problem? The premise is absurd.

Re:Phishing is good

[Artem+S.+Tashkinov]

That is a problem, but one that should be addressed by education, not by dumbing down the population even more, because that makes the majority of people even more helpless.

I quite agree with that, however just like I said, the Internet and computer devices are inherently insecure. How would you teach them not to trust DNS or their Internet connection? How would you teach them not to trust their OS or their computing device (now that we know that BIOS/UEFI/your NIC/HDD firmware can all be p0wned)?

As of 2017 we're all fucked. Some people naÃvely believe we aren't. The ones who usually run Windows without any decent AV. At the same time 100% of modern CPUs (x86/ARM) are rigged for remote control without you knowing. >98% of people in the world run software/firmware/integrated circuits (read CPUs, DSPs, etc. etc. etc) which only select people in the world can access and verify.

Re:Never saw that coming

[thegarbz]

If the identity of the endpoint can't be verified, exactly how is it that MITM is prevented?

There's a difference between positively identifying a corporation and identifying the machine with which you are trying to communicate. An SSL certificate provides you only with the knowledge that you're communicating with the person who claims to own the address in question and that this communication is secure.

Phishing attacks are prevented by Extended Validation. It's an additional process which says the person who we granted the certificate to is the owner of the domain and the company and we have reasonable evidence to that effect, ... trust us.

Let's Encrypt doesn't offer the latter service, and if you go to www.payypal.com and see "Secure" in the title you know that you're talking securely to www.payypal.com. You don't know if you're actually talking to Paypal unless it says "Paypal, Ltd [US]." in the title, and even then you're doing it on nothing more than a promise.

Re:Phishing is good

[dgatwood]

Normal people may want to visit paypal for the first time ever which means no AutoFill data or any indication they've arrived at the website they can really trust.

Normal people trust their search engine to return the real PayPal site when they search for it. The worst realistic scenario from a non-user getting otherwise redirected to a fake version of the site is having to contest false charges on a credit card and report the card stolen. No big deal. It becomes dangerous when you associate a bank account with it, which no mentally competent person should do when visiting a site referred from some random new website. But once you have done that, accidentally giving out your password to a phishing site becomes a really big deal, because you probably won't get that money back.

Idiots who say you should trust a website based on its name think too much of people.

What the h*** else can you possibly use as a basis for trust? Do you expect us to create a little walled garden that prevents the free flow of information just in case some bad person decides to do something bad with that ability? We had that. It was called AOL, and it failed because it was too limited compared with the real web.

The only way to be sure that my connection attempt is not spoofed is what? VPN? No, you cannot trust it either. DNSSEC hasn't really taken off and then you cannot really trust CAs nowadays.

You should really be encouraging broader adoption of DNSSec so that we'll eventually be able to make DNSSec validation mandatory instead of whining on Slashdot that we aren't taking the problem seriously. Or propose a better solution. Either way.

Sorry, I've never seen so many idiots at /. simultaneously.

With all due respect, has it ever occurred to you that if you think a large number of really smart people are idiots, it probably means that you don't understand the problem as much as you think you do? Just saying.

blame

[lastman71]

If you blame the CA, for creating valid certificate for "misleading" domain name, why do you not blame also the registar?

Letsencrypt versus a 'real' CA

[sjwest]

I think most people here would spot a fake site without the ev,

Even CA's have issued 'bad' certs to people - Symantec and others have also failed the test.

Re:Letsencrypt versus a 'real' CA

[thegarbz]

That's just it. BleepingComputer doesn't understand the difference between a DV and an EV certificate and falsely assumes that Lets Encrypt is not doing exactly what a Certificate Authority issuing a DV certificate is supposed to do: Verify the requester is capable of administering the domain in question and nothing more.

Re:Letsencrypt versus a 'real' CA

[el_chupanegre]

That's just it. BleepingComputer doesn't understand the difference between a DV and an EV certificate and falsely assumes that Lets Encrypt is not doing exactly what a Certificate Authority issuing a DV certificate is supposed to do: Verify the requester is capable of administering the domain in question and nothing more.

Maybe this is just a problem with the latest Chrome beta (I haven't checked others) but it seems to display both EV and DV certificates in exactly the same way to me. On /. the certificate is issued by "Let's Encrypt Authority X3", therefore it's DV but on my bank's website it's "Symantec Class 3 EV" yet both of them display in the URL bar exactly the same way.

How is your average internet user supposed to know the difference when someone can get a DV for a phishing website that looks just like their bank website and the URL bar looks exactly the same (bar the easily-missed URL difference)?

I checked PayPal as well and that shows the URL bar differently (with PayPal, Inc. in the green box) even though that's also "Symantec Class 3 EV", so there seems to be something odd going on there. To be honest, even with that, I don't think the average user would know the difference between a green box containing "Secure" vs. the name of the company, they're just looking for that green box/padlock.

Re:Letsencrypt versus a 'real' CA

[thegarbz]

It is a Chrome specific issue caused by Chrome raising the bar on all EVs. In order to get the Green EV bar in Chrome a certificate needs to be EV, issued by a root authority, and needs Certificate Transparency information (or needs to be issued before 1st Jan 2015).

Unfortunately there's a shitload of CAs out there that didn't get certificate transparency sorted out by 2015.

Some EV certificates are dead and in this case: Netcraft confirms it

Quite frankly if I were paying $1000 for a certificate and it wasn't showing green in Chrome, I would be on Symantec like shit on a blanket. Though currently Chrome is the only browser enforcing this.

Let's be responsible

[VikingNation]

Public key infrastructure is dependent upon a system of trust. Those who issue signed certificates can either strengthen or weaken trust in the overall system. Those issuing certificates bear responsibility to maintain trust in the overall system.

Re: Phishing is good

[corychristison]

HTTPS was a badly realized afterthought and it bites people all the time. I wonder if this problem can be solved at all.

The intention of HTTPS was only to provide secure communication between the client and server.

Saying it was horribly designed afterthought because it doesn't verify the owner of the server is simply false. That was never the point. That may have been something the CAs propped up, and then browsers started blocking use of self-signed certs. So now we're back at square one, as LetsEncrypt now offers a no cost solution to replace self-signed certs.

This is what LetsEncrypt believes, as well. The entire point of LetsEncrypt is to allow everyone to securely communicate with their own sites, free from spying of ${GOVERNMENT_ENTITY} or malicious hackers.

We simply need some other way to identify if a website is who it says it is. HTTPS was never meant for that, despite what the CAs have led you to believe.

Re: Never saw that coming

[Miamicanes]

A domain-validated cert guarantees *nothing* besides, "this cert was issued to a likely admin at $host.$domain.$tld."

The expectation is that clients (ie, web browsers) will compare the tail end of the hostname to the CN on the cert, and take appropriate action if they don't match.

They guarantee *nothing* about the identity of the site's owner, the legitimacy of their domain's ownership, or anything else.

DV certs exist because sometimes, all you care about is preventing MITM attacks to web users. Period. The onus is still on *you* to verify that login.chase.com.lucky7domainpark69.com is, in fact, the login page for your bank, and not a phisher's site. All a DV cert for that domain guarantees is that someone running a fake/compromised wifi access point can't intercept, read, or tamper with the request or response.

This is why banks pay thousands of dollars for "EV" certs. A CA issuing an EV cert IS expected to have "boots on the ground" physically verifying that the cert's applicant is who they say they are, has an office where they say they do, etc. They themselves STILL guarantee nothing about how data is secured or used after decryption.

TL/DR:

DV cert: the other party is whomever controls $(some-specific-domain).

EV cert: same as DV, but adds guarantee that they're ALSO whom they claim to be. They might STILL be evil & crooked, but at least you might conceivably hunt them down in the real world if they do something bad.

Re:Phishing is good

[tigersha]

You know that there are cyrillic characters that look exactly like the roman ones we use except they have another unicode code point? So www.microsoft.com (to use a REAL example) could have a cyrillic o in there and you can't actually see the difference because the two characters are renderered identically?

Besides, I noticed that ld ' uo p uplo ,no

Auto fill and TouchID

[TheOuterLinux]

If you have auto fill turned on, your browser may remember your PayPal information. A phishing site could setup in a way to steal the auto fill information without actually showing you a form. Another problem I've realized (maybe a tad off-topic) is that PayPal has allowed users to sign in with TouchID. There are parts of the world in which law enforcement can make you use your finger to unlock your phone; this also includes applications. In other words, PayPal gave law enforcement the keys to many peoples financial information but told everyone it was for convenience.

Re:Phishing is good

[tigersha]

Yes. I agree. Our local admin (who is a paranoiac) thinks autofill is the evilz. Autofill increases security for exactly that reason.

Bonus # 2: Autofill makes you much more immune to viruses that capture keystrokes, of which there are plenty.

Re: Never saw that coming

[VikingNation]

The point of the certificates is to provide a means to establish confidentiality, integrity, and identification of the server hosting information. Issuing fraudulent certificates undermines the security and leads to fraud.

Re:Phishing is good

[Bert64]

The problem is very few people are aware of the correct URLs, and simply put "paypal" into google and follow the first result that comes up, or click the paypal link on ebay or that arrives in an email for example... They never directly enter https://www.paypal.com/ into their browser address bar.

Re:Phishing is good

[Bert64]

Whats to stop a virus from dumping the autofill cache instead of capturing keystrokes? You've traded one problem for another.

Encryption without trust = dangerous illusion

[WaffleMonster]

Years ago everyone who wanted an SSL cert had to provide actual corporate documentation reviewed by actual people. Everything was essentially "EV".

Then all the CA vendors said fuck it, lets make more money on volume without doing any work and switched to automated systems.

Finally Let's encrypt came along and said double fuck it not only will we use automated systems but we'll make it FREEEEEEEEE.

The end result is a phenomena well known to the technology industry. A race to the bottom where everyone ends up screwed because there is no discipline and no market incentive to chose any path other than the one of least resistance.

We now live in a world where insecure jems like RFC6844 (DNS CAA) are necessary because CA's are too lazy even to be expected to coordinate amongst themselves.

I don't believe a world of countless dozens of overlapping planet scale trust anchors is rational to begin with. I have always advocated for any signing to leverage domain holders relationship with their registrar as a standard feature of domain ownership and get lazy third party CAs out of the equation altogether. The whole system has basically devolved into this only with much worse security/financial/effort outcomes for all concerned anyway. Way past time to force the worlds CAs out of business.

Yes originally it at least made sense if you were a bank or ecommerce site or something important you paid dearly each year for a cert and got something out of it in return. The second CA's abdicated their only value over domain registrars ... meaningfully vetting those seeking their blessings it should have been the second they ceased to exist altogether. They essentially became parasitic leaches from that point forward and the world has suffered for it as a result.

Re:Encryption without trust = dangerous illusion

[thegarbz]

You seem to imply because something is free and automated that there is a lack of trust. There is not. DV certificates still identify the server as responsible for responding on behalf of the domain in question.

What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs, outside of the scope of Lets Encrypt, and quite critically also handled and displayed differently to the user by the browsers.

There's nothing dangerous here, just a bunch of people who don't know what they are talking about. You want to pretend to be www.playpal.com go right ahead. You want to pretend to be PayPal Ltd [US] with the domain www.playpal.com? Well Lets Encrypt won't let you do that.

Re:Encryption without trust = dangerous illusion

[tepples]

What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs

WaffleMonster's point as I understand it is that DV should never have existed, that the choice should have been between OV and cleartext passwords.

Re:Encryption without trust = dangerous illusion

[WaffleMonster]

You seem to imply because something is free and automated that there is a lack of trust.

While not my point. I absolutely agree with the above statement because it is factually accurate. ALL of these automated systems depend on INSECURE responses from INSECURE protocols in order to issue certificates including LE.

Third party DV is pointless because registrars are way better positioned to handle this.

The domain registrars need to take over and all of this redundant third party crap needs to go.

What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs, outside of the scope of Lets Encrypt, and quite critically also handled and displayed differently to the user by the browsers.

Originally this was NOT the case. To get a cert for your domain you were required to be vetted as an organization. Once CA's got out of the business of vetting organizations rather than ownership of domains they became dangerously redundant.

There's nothing dangerous here, just a bunch of people who don't know what they are talking about. You want to pretend to be www.playpal.com go right ahead. You want to pretend to be PayPal Ltd [US] with the domain www.playpal.com?

Nothing dangerous here after having explicitly discounted endless parades of impersonation attacks. The original value of the CA is effectively gone.

Well Lets Encrypt won't let you do that.

Yes it will if you can manage to intercept traffic from LE and your victim. It's all leap of faith and redundant.

Re:Encryption without trust = dangerous illusion

[WaffleMonster]

WaffleMonster's point as I understand it is that DV should never have existed, that the choice should have been between OV and cleartext passwords.

Once OV effectively died the function should have been handed over to domain registrars who maintain a relationship with domain owners. Registrars are best positioned to hand out certificates as standard feature of domain ownership. CA's have no business touching DV.

As for cleartext passwords INCLUDING cleartext over TLS there is no excuse for continued use of insecure authentication protocols. Many are being owned because they were taught it swell to enter passwords into adhoc web forms whether encrypted or not. A certificate-less HTTP session secured by TLS-SRP provides protection from impersonation. DV does not even pretend to try.

Re:Encryption without trust = dangerous illusion

[thegarbz]

WaffleMonster's point as I understand it is that DV should never have existed,

And we'd be resolved to encryption for only those who can pay opening up an entire world of exploits based on the people withing the network or standing along side it.

Just because I don't have 100% faith in the endpoint, doesn't mean I don't trust all the people around me, or the proxy server in front of me. DVs still provide encryption. EVs and OVs provide something else on top and as I mentioned given that DVs and EVs are handled differently and presented differently to the user there is absolutely no reason DVs shouldn't exist.

Security isn't an all or nothing approach.

Re:Encryption without trust = dangerous illusion

[thegarbz]

The domain registrars need to take over and all of this redundant third party crap needs to go.

There are plenty of registrars that do this in countries where the laws govern the application of domain names. I didn't get my domain in my own country because of this. I didn't want to go through the hassle of registering a business name, providing identification and tax documentation and then paying 5x more for the domain and hosting as a result of this.

Originally this was NOT the case. To get a cert for your domain you were required to be vetted as an organization.

Yes. It's worth remembering why we stepped away from this approach. The ability to encrypt separately to the high cost of the ability to encrypt + validate kept a large portion of the internet unencrypted. DVs lowered the bar to encryption which cuts out a whole lot of risk factors.

Nothing dangerous here after having explicitly discounted endless parades of impersonation attacks. The original value of the CA is effectively gone.

There's nothing "gone" about it. The browser handles DVs and EVs differently and displays them differently to the user. A user who would look to see if something is encrypted would also look to see if the name of the company shows quite obviously in the title bar. A user who doesn't do either of those never benefited from CAs in the first place, and phishing attacks were very bloody effective long before they started requesting certificates, which goes to show the exact opposite of what you suggest: CAs were essentially of little value to begin with, and we have better effects at increasing security by encryption all communication rather than providing a certificate that no one reads or cares about.

Yes it will if you can manage to intercept traffic from LE and your victim.

Err no you can't MitM with a certificate that doesn't match the domain you're talking to.

Re:Encryption without trust = dangerous illusion

[WaffleMonster]

There are plenty of registrars that do this in countries where the laws govern the application of domain names. I didn't get my domain in my own country because of this. I didn't want to go through the hassle of registering a business name, providing identification and tax documentation and then paying 5x more for the domain and hosting as a result of this.

For what it's worth I am not asserting anyone who wants a domain should be vetted in any way. I'm only saying if your going to hand out domains and certs like candy the domain registrar is the best place to do that instead of doing it separately in a different insecure step elsewhere.

Yes. It's worth remembering why we stepped away from this approach. The

To reduce operating costs and increase profits?

ability to encrypt separately to the high cost of the ability to encrypt + validate kept a large portion of the internet unencrypted. DVs lowered the bar to encryption which cuts out a whole lot of risk factors.

I have no problem with DV itself. I have a problem with vetting of actual organizations being rendered meaningless and I have a problem with CA's being in the business of handing out DV certs.

Err no you can't MitM with a certificate that doesn't match the domain you're talking to.

No need to break a trust chain or develop exotic methods to subvert crypto when the chain of trust itself is an illusion. Consider the following 7-step plan:

1. Gain access to the victims wires
2. Go to any of a zillion different CA's or LE.
3. Submit CSR or equivalent to chosen CA
4. Follow automated validation procedures
5. Leverage access to victims wires to screw with unsecured DNS requests and or unsecured web requests to fool automated validation procedure.
6. Install valid certificate assigned to you by a legitimate CA.
7. Leverage your new certificate to MITM your victims systems to your hearts content.

CA's have no business handing out DV certs.

Re: Never saw that coming

[thegarbz]

There is no fraudulent certificates being issued. A DV certificate which is all that Let's Encrypt issues only guarantees that you are actually talking to the domain (server) that is being claimed. Nothing more. Confidentiality, integrity and identification are completely correct and preserved. You are actually talking to www.ppaypal.com when it says you're talking to www.ppaypal.com.

If you want to know if you're talking to PayPal Ltd, [US]. That's a completely different certificate with a completely different issuing process, and your browser will handle DV and EV certificates differently.

there still is a barrier to entry

[jopsen]

Read: https://letsencrypt.org/2015/1...

While they do conclude that they don't see CAs role for (DV certificates) to protect against phishing... They do already lookup domain names in Google Safe Browsing API before issuing certificates.

From a puristic point of view the purpose of a certificate is to prove that you are talking to example.com, and not some other domain. Verifying that example.com is your bank and not registered by a scammer is a not the purpose of a certificate.

That said, it seems they already are looking up in Google Safe Browsing API, so at-least there is some barrier to entry. And while I agree that it's not a CAs purpose to be internet police, I do hope that we'll see more best-effort protections to stem abuse. Granted this sort of a abuse is probably better fixed at registrar level.

Re:Never saw that coming

Sorry, that wasn't very clear. It is to identify that the server is the server it claims to be, but does nothing to verify the identity of the person running the server.

For example, Let's Encrypt will check that the person getting the certificate really does control www.paypall-secure-login.com, but not that they are actually PayPal Inc.

In other words, the business model of Let's Encrypt is to sell digital certificates that aren't worth the electrons they are printed on.

Issuing a certificate to BobsCarRepair.com is one thing. Obviously you have no way of knowing whether or not Bob is a reputable business.

However, Issuing 14,000+ certificates that contain the word PayPal, to domains not owned by the real PayPal, is incompetence on a massive scale and calls into question Let's Encrypt's honesty and trustworthiness.

Re:Never saw that coming

[mysidia]

If the identity of the endpoint can't be verified, exactly how is it that MITM is prevented?

The purpose of these CAs is to Verify the Identity of the Domain Name for the purpose of establishing TLS connections. They verify DNS domain name Identity, Not Organizational Identity.

I.e. They verify the person who controls the Hostname authorizes the certificate, Not that the Hostname is owned by the company name and end user speculates the DNS domain name belongs to.

Wrong conclusion

[allo]

Before they just used http without tls.
The web is moving to be encrypted. So phishing sites are being encrypted as well. No surprise. And nothing worse than before. It's even better, because just the phisher gets your creditionals, but not the NSA, which sniffes your connection to the phishing site.

Re: Never saw that coming

[mysidia]

A CA issuing an EV cert IS expected to have "boots on the ground" physically verifying that the cert's applicant is who they say they are, has an office where they say they do, etc.

EV pretty much just means they paid extra, and the buyer is a company. Depending on which CA, there won't be much extra verification.

Also, there's another type of cert you didn't mention which are Organization-Verified Non-EV Certificates. For example: Amazon.Com has one, The certificate lists the company name "Amazon" as the company name on the cert instead of just a blank or "Domain Owner Verified" in the company name.

Although, for some reason Chrome does not show the company name on Organization-Verified certificates.

Re:Never saw that coming

[dgatwood]

Does anyone remember what the point of SSL was? It's just so our users don't see the non SSL warning right?

You say that jokingly, but there's some truth to that. The need for TLS is proportional to the damage done by compromising the connection. Informational websites with no credentials do NOT need TLS, typically, and the push to add TLS more broadly has played a major role in lowering the bar for getting a cert (out of necessity), thus weakening an already weak system further.

Re:Never saw that coming

[ls671]

In other words, the business model of Let's Encrypt is to sell digital certificates that aren't worth the electrons they are printed on.

Let's Encrypt certificates are free and issuance is fully automated.

Re:Never saw that coming

[tepples]

Informational websites with no credentials do NOT need TLS, typically

Without TLS, how do you ensure that a man in the middle isn't altering the information that you retrieve from said "Informational websites with no credentials"?

Block all DVs

[tepples]

The process might in fact be to block all domain-validated (DV) certificates and allow organization-validated (OV) and Extended Validation (EV) certificates. This would parallel the policy implemented by the Comodo Dragon browser, which displays a warning for DV certificates:

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

Re:Block all DVs

[chihowa]

Which is an awesome step away from the internet-that-was to the entirely commercialized and corporate web. Why would anybody was isn't a "legitimate business" want an SSL certificate?

Re:Block all DVs

[tepples]

The situation DarkOx describes is not your home connection but "corporate clients that do SSL intercept". In other words, it's a self-described legitimate business that wishes to communicate only with other apparently legitimate businesses.

Re:Block all DVs

Blocking DV is not the answer - maybe making the padlock orange and not saying "Secure", but blocking, as is done now for self-signed certs, gives the impression to the end user that the site is less secure over https than it is over http.

Re:Block all DVs

[thegarbz]

So roll back all encryption efforts except for those with deep wallets. Thanks but no thanks.

Just because I can't confirm that the end point isn't malicious doesn't mean I want every malicious idiot in the path taking their share too.

Re:Block all DVs

[chihowa]

Fair enough. I think I got lost mid-thread and thought that you were talking about general browser policy. Frighteningly, I've actually heard such a policy proposed for browser defaults.

How big is the DANE key?

[tepples]

[First-visit validation of a self-signed certificate is] where key fingerprints in DNS can help

Not until the root domain and major TLDs are signed with a key stronger than 1024-bit RSA. Short keys are why browsers haven't added support for DANE.

Even unauthenticated encryption is better than no encryption, because it prevents passive attacks.

It also gives the user a false sense of security that an active attack is not in progress. A self-signed certificate places the bar between "passive attack" and "active attack", but browser publishers have defined the https scheme to prefer a bar between "active attack" and "typosquatting".

Re: Phishing is good

[dgatwood]

The registrars are *supposed* to do visual aliasing checks when issuing internationalized domain names. If that isn't happening, the failing party is clear. It isn't as though this hasn't been a known problem for years....

Re:Never saw that coming

[mysidia]

Informational websites with no credentials do NOT need TLS, typically

Yes they do, if for no other reason than to protect visitors privacy against passive interception and tampering by their ISP.

Furthermore, websites such as Google search engine need TLS to avoid connections being hijacked by a malicious party and then used to phish attack against other Google.com/Same-origin properties

Re:Phishing is good

[mysidia]

Let's say, you entered paypal in Google and miraculously the second link leads to paypall.com

Wait.... Google lists a Fake website as Hit #2 in a search result, and people are ragging on LetsEncrypt? Clearly, the Search Engine is to blame here.

The way you safely access PayPal is DONT SEARCH FOR IT. you type http://www.paypal.com/ into your Browser address bar, AND you check the typing carefully before pressing enter.

Also, if you typo'd the website name, your browser should show an error page. And if you've ever visited www.paypal.com it should warn you that maybe you made a typo, before proceeding to access the different site.

Re:Never saw that coming

[thegarbz]

and very few people would check EV

Given how an EV produces a very clear and noticeable indication of the name of the organisation in the title bar, if someone doesn't "check" it then they should probably disconnect the internet as they are a danger to themselves.

Re: Never saw that coming

[thegarbz]

Depending on which CA, there won't be much extra verification.

The ones that don't do much extra by policy don't qualify to have their root certificate included in browsers.

Although, for some reason Chrome does not show the company name on Organization-Verified certificates.

Because OV certificates are the category you mention above, there isn't much extra qualification involved. Firefox also doesn't show OV certificates as green.

Re: Phishing is good

[corychristison]

And that's not what HTTPS is for. As mentioned that's what the CA's provided, but it certainly was not a part of HTTPS.

As another commenter pointed out, DNSSEC and DANE will provide this functionality, instead of the CAs, in the future.

Re:Never saw that coming

[mhkohne]

and very few people would check EV

Given how an EV produces a very clear and noticeable indication of the name of the organisation in the title bar, if someone doesn't "check" it then they should probably disconnect the internet as they are a danger to themselves.

If only. Most of the people who would be helped by such a thing are the sort of folks who would follow the instructions on how to disable their AV software to see the dancing cat video. EV is a nice mechanism, but PEBKAC still rules the day.

Caching by you vs. by your ISP

[tepples]

An unencypted connection is fast, cacheable, and secure enough when you're just transfering photos and cat videos.

As far as I know, my browser does cache content served over https exactly the same as served over http.

But your ISP cannot cache said content. Say you have a classroom full of children all reading the same article on Wikipedia, and it's in a remote area with the only available Internet connection being a 0.13 Mbps ISDN or satellite link. With cleartext HTTP, a Squid or Polipo proxy can pull every . But with HTTPS, the proxy has to fall back to a separate CONNECT tunnel and transfer the same article 20 times unless the proxy is configured to intercept TLS, with its own root certificate in all browsers configured to use the proxy. Failure to cache in such a situation is inefficient, slow, and possibly costly if it causes the school to exceed a monthly Internet data transfer quota. (Source)

Re:Caching by you vs. by your ISP

[DavidRawling]

I suspect there are too many folk working on these things that have never experienced such a situation and cannot comprehend that it still exists (and will do for a long time to come). "But I have unlimited gigabit fiber for $0.35 a month in my SF apartment, so everyone everywhere must be the same".

Re: Never saw that coming

[MichałMiszczyszyn]

MiTM attack has nothing to do with JavaScript.

Re:The following is going to happen.

[tepples]

Well, Let's Encrypt certificates are now going to be treated like self-signed certificates. Don't believe me? Just wait and see.

With both Mozilla and Google as "major sponsors" of Let's Encrypt listed on the front page, I don't see how this will happen any time soon. If Microsoft and Apple distrust Let's Encrypt for following the same CA/Browser Forum Baseline Requirements as every other certificate authority issuing domain-validated (DV) certificates, the only way to avoid a double standard would be to distrust all DV certificates. And as of today, the service formerly known as Hotmail appears to be using a DV certificate.

Re: blacklist them

[tepples]

A domain-validated certificate is for ensuring the authenticity of communications between your machine and a machine operated by the owner of a particular hostname. It isn't for ensuring that the owner of a particular hostname has any right under other applicable law, such as typosquatting provisions of trademark law, to use that hostname.

OCSP actually is a short-term certificate

[tepples]

The best incremental refinement is short-lived certificates auto-issued by intermediate CAs. [...] The refinement being pushed instead of the obvious one is "OSCP stapling"

An OCSP response is a short-term statement issued by the CA that a TLS server's certificate is still valid. It can be thought of as exactly the sort of "short-lived certificate" that you describe. Stapling allows a TLS server to cache this response and present it alongside the main certificate. If only the TLS server contacts the CA to get OCSP responses, the CA can't see clients.

Sovereign Keys

From a footnote in the proposal: "In the current draft, there are additional requirements, including that an OCSP check for the CA certificate is successful".

Re:Phishing is good

[tepples]

You enable javascript for paypal.com and then anytime you visit paypall.com, your browser sits there not running any javascript.

Then phishers are going to make their sites compatible with NoScript, such as by computing the final DOM, serializing it to HTML, and sending that to the mark instead of the script that generates the DOM.

Re: Phishing is good

[tepples]

LetsEncrypt now offers a no cost solution to replace self-signed certs.

This is true only for servers with fully qualified domain names, not for internal servers with private IP addresses or made-up TLDs such as .local or .internal. Is every householder supposed to buy a domain to make HTTPS communication across the LAN with a router, printer, or streaming media server work?

Re:Never saw that coming

[DavidRawling]

OK but then you have to have cross-checks that let people register/get certs for paypal-sucks.com without also permitting paypall.com, unless paypall.com is a legitimate business (PayPall being some payment processor in, I dunno, South Uzbekhistan). You also have to prevent getting wildcard certificates for anyone, because then they could set up paypal.com.golbalisecure.com (just by getting a wildcard for com.golbalisecure.com) - which would also let them get close to microsoft.com(.golbalisecure.com), google.com(.golbalisecure.com) etc.

This is not a problem easily solved with simple rules. And even THEN you get to the point of having hundreds or thousands of people employed to push yes/no buttons, which would surely not lead to underpaid, bored staff with bad KPIs/goals just repeatedly clicking Yes with no thought.

How did that help, again?

Re: Never saw that coming

[mysidia]

The ones that don't do much extra by policy don't qualify to have their root certificate included in browsers.

What do you mean by that? You suggested EV certs mean the CA sends boots on the ground and verifies the presence of your offices, But they don't.

In reality, what it means Is they ask you a series of questions whose answers will be checked using databases containing information gathered from public records.

Because OV certificates are the category you mention above, there isn't much extra qualification involved.

The CAs are not allowed to put in a Company Name they have not verified. They're basically just the same as the EVs. You upload some scanned documents, and then answer some questions, and you'll get either type of cert really quick,
except the EV has an arbitrarily higher price tag.

Re: Phishing is good

[DavidRawling]

To be fair this is because browsers like Chrome (swiftly followed by Edge and Firefox) have all decided that the search bar SHOULD act exactly like search. They removed the dedicated search box in favour of a "smart" unified typing place that in my experience, fails to select the correct thing to do about 50% of the time.

It's almost impossible to just type a hostname into the Complete Unified New Technology bar and consistently have the browser load the site (unless you hack Firefox options; I don't use Chrome so I don't know if it's possible at all and I can't see a way to make Edge be sane). No - a simple word MUST mean you're searching for something even if it's locally resolvable and not a word in any language. Thanks Google et al, making the world a worse place, one step at a time.

Re:Never saw that coming

[msauve]

"The purpose of these CAs is to Verify the Identity of the Domain Name for the purpose of establishing TLS connections. They verify DNS domain name Identity, Not Organizational Identity."

Your point? Unless there's a DNS compromise, AND a cert is issued by a widely accepted CA which doesn't verify the actual domain, it's not a real issue. Someone trusting a link to paypall.com isn't an https/cert issue, it's an issue of ignorance. It's not any more serious than a fishing attempt which looks for email responses, or Rachael from Cardholder Services calling and asking for a credit card number and someone believing them. And what if someone does create a real "Organizational Identity" of Paypall? Then the difference between DNS and organizational identity is nil. Ultimately, people have to exercise due diligence, or they'll get burned. Trying to tell them that there are technical solutions for their naivete is a counterproductive lie, only instilling a false sense of security.

What's really interesting is that the /. cert is also issued by "Let's Encrypt."

Re: Phishing is good

[corychristison]

Why are you encrypting traffic within your own private network?

Re:Never saw that coming

[arglebargle_xiv]

Phishing attacks are prevented by Extended Validation.

No they're not. If you look at phishing stats before and after EV certs were introduced, there was zero change. Well, it actually got worse, but that's because it's been getting worse for years. The rate of change was a straight line, there wasn't even a noticeable bump brought about by EV certs.

What you actually should have said was:

CA revenue problems are prevented by Extended Validation certificates.

Re:Phishing is good

[hawkinspeter]

Except that they don't. Unless you can show me an example where they don't use any javascript in a login page.

Re: Never saw that coming

[hawkinspeter]

Yes, you are technically correct. However, every phishing site that I've ever seen does exactly zero without javascript enabled. If you've already visited paypal and whitelisted it in NoScript, then you'll immediately notice when you go to a similar site that isn't whitelisted and know not to put in any credentials.

Business model of a free site ?!

[DrYak]

In other words, the business model of Let's Encrypt is to sell digital certificates that aren't worth the electrons they are printed on.

Let's encrypt is a free (price as-in-beer, code as-in-speech) service. They don't have a business model.

They have a purpose (the same as CACert, by the way), to issue simple certificates that can verify that "blah.com" is indeed "blah.com".
(As opposed to some man-in-the-middle attacker mascarading as "blah.com" using a different 3rd server).

They do not certify any thing else, and indeed the certificates' fields. This certificate doesn't certify any organisation name.

This is even reflected in some browser's URL bar.
e.g.: in Mozilla's Firefox.

- Go to a "let's encrypt" website (like here on /. ) or one certified by CACert :
you only get the green padlock (sign that the communication is encrypted) and no other indication.
let's encrypt only checked that slashdot.org is indeed slashdot.org, but didn't check anything regarding ownership.
(it might as well be someone trying to impersonate Slash, DJ Slash or Fat Boy Slim)

- Go to paypal :
in addition to the padlock, you get an indication that certificate is certifying that the server is owned by PayPal Inc.
(Symantec actually checked that PayPal Inc is indeed own

Issuing a certificate to BobsCarRepair.com is one thing. Obviously you have no way of knowing whether or not Bob is a reputable business.

Even further : it doesn't even certify that owner of the website is someone called bob. It only certifies you that it is indeed bobscarrepair.com
It might as well be owned by Alice, for what you know.
It only certifies that Eve isn't wiretapping you when you give your credit card number to buy parts.

However, Issuing 14,000+ certificates that contain the word PayPal, to domains not owned by the real PayPal, is incompetence on a massive scale and calls into question Let's Encrypt's honesty and trustworthiness.

Nope.
There's a difference between guaranteeing a secure channel (against 3rd party eaves dropping).
And guaranteeing identity.
is
These are 2 different concepts.
Let's encrypt only takes care of the first one and has never ever hoped to tackle the second problem. They DO NOT certify owners, this field is intently left blank on their certificates.

The point of Let's Encrypt (as its name says) is that encryption becomes the norm on the web. In order to avoid massively stupid blunders, like the dead easy identity theft demonstrated by FireSheep.

That's something that CAN BE achieved for free, on a massive scale, like Let's Encrypt and CACert are doing.

There's no realistic way that let's encrypt could in any way confirm owner identity for free on this massive scale.

That's something which is very easy to understand for people who have some basic knowledge of security.

Saddly, sheeple are stupid. So you need to educate them and try to find ways to make them understand.
(e.g.: the above mentionned "show certified owner in the URL bar if provided" that Firefox is doing).

But sapping efforts like "Let's Encrypt" which are providing very valuable service (bringing the availability of HTTPS, TLS/SSL, etc. on a massice scale), simply because some idiot can't make the difference between "protection against 3rd party eavesdrop" and "identity of the owner" is counter-productive

Revoke slashdot.org's certificate !

[DrYak]

and very few people would check EV

That's why some browsers like Firefox checks it for you and display it right in the URL bar.
You can't miss it.

What you really need is the domain registrars to check that if sites are being registered that are similar to a company name or trademark that they have a legitimate right to use that name.

Hey, then you need to ban slashdot.org, because it's name is similar to Slash. Or to DJ Slash. Or to Fatboy Slim's song.

The problem with "check that if sites are being registered that are similar to a company name or trademark" is that it's a complex task require some thinking that it's not trivial to automate for absolutely free (and in a way that won't be trivially circumvented by attackers).
It goes beyond the point of Let's Encrypt (whose point is, as the name indicate, just to make encryption available).

Or build a chain-of-trust system where people can blacklist a bad domain by voting it down

Which isn't an easy task to do (how many - outside of /. - to use PGP on a regular basis ?) Chain-of-trust system aren't easy.

Blacklist aren't silver bullet neither : an attacker could still bank on a quick attack trying to scam as many users as possible before getting flagged.
(See all the "software to make a millionaire out of you on binary option sites !" scam that are popping every where. Site costs under a couple of hundred in stock-photos / fiverr actors / ads promotion to set up, and can manage to make a few thousands selling snake oil before getting reported and shut down).

Neither of them have anything to do with HTTPS.

Which brings us back to the point : Let's Encrypt's purpose, as it names implies, is to bring the S in HTTPS and nothing more.
It's not their job solving the certification of owner in an easy way.

Re:Phishing is good

[tepples]

It's not PayPal itself, but the login page for Phil's Hobby Shop can work without JavaScript. The only part that changes with script off is that you have to submit with a blank password in order to enable "Show password as I type".

Secure Contexts and Fullscreen API

[tepples]

Why are you encrypting traffic within your own private network?

To avoid loss of functionality once the Fullscreen API becomes limited to secure contexts. Browsers no longer support sensitive JavaScript APIs over cleartext HTTP. There are plans to make Fullscreen API unavailable over cleartext HTTP because of demonstrated phishing attacks. Without the Fullscreen API, streaming video from a home NAS will be limited to a window.

Re:Secure Contexts and Fullscreen API

[corychristison]

Personally I "stream" my media over NFS within my network.

MPV on a small Linux box I have connected to my TV. Works well for my needs.

What are you using that utilizes the Fullscreen API? Sincere curiosity here.

Re:Secure Contexts and Fullscreen API

[tepples]

Personally I "stream" my media over NFS within my network.

I imagine that Android, iOS, and Windows clients don't ship with an NFS client. If they do, when did they start?

What are you using that utilizes the Fullscreen API?

In theory, the server side is GNU MediaGoblin or other web-based media server applications, and the client side is anything with a modern web browser, particularly devices brought by visiting friends and family.

Re:Secure Contexts and Fullscreen API

[corychristison]

Interesting. I was not aware of MediaGoblin.

I have no desire to support Android/iOS. Network shares can be exported as Samba share if necessary for Windows, though I don't use Windows within my network either.

Re:Phishing is good

[hawkinspeter]

Fair enough. Luckily, phishers don't bother with a non-javascript login page even though it is possible.

Re:Never saw that coming

[thegarbz]

Indeed. PEBKAC is a limiting factor. Point is that people who check EVs are the same people who check the little lock symbol. There's no increased risk of a DV certificate going to phishers as phishers were just as good at phishing with no security at all.

Re: Never saw that coming

[thegarbz]

I didn't use the words Boots on the ground, and no that is NOT and never was the expectation of EV. The expectation is that there are a policy and process through which they verify third party companies exist and are legitimate, and that this process is validated through an external auditor. This well and truly exists with most CAs and ... well we only recently ran a story about one where this process wasn't sufficient. Guess who no longer has their root cert in any browser.

In reality, what it means Is they ask you a series of questions whose answers will be checked using databases containing information gathered from public records.

Yes. That's no different to your mythical boots on the ground. It's also no different to the deed of my house, the shares I own in my company, and my entire personal identity. Documentation and answers show that you are who you claim to be.

They're basically just the same as the EVs.

The bar is set higher. There's a difference.

Re:Never saw that coming

[thegarbz]

Yes they are. The fact that they don't work is entirely different to the concepts within the scope of discussion.

The scope of discussion is: Phishing attacks being prevented by certificates, and the extended risk of Let's Encrypt providing free DV certificates
What I said was: In summary: preventing phishing attacks is the scope of EVs not DVs.

Whether or not it works is irrelevant. The point it it got no worse through the freely available DVs.

Re:Never saw that coming

[dgatwood]

Without TLS, how do you ensure that a man in the middle isn't altering the information that you retrieve from said "Informational websites with no credentials"?

You don't, but it almost never matters. MiTM attacks tend to be harder than passive sniffing, and there are very few reasons why any ISP in its right mind would do so. They're far more likely to do blocking, or redirect a streaming site to their own streaming site, or other absurdity that's easy to spot.

Re:Never saw that coming

[dgatwood]

Google.com also involves authentication credentials. You can't usefully do a phishing attack against a website that involves no credentials, because there's nothing to phish.

Re:Never saw that coming

[tepples]

It's not always a home ISP that's doing subtle MITM modification. It might be someone malicious in the same coffee shop as you. Or it might be a government agency using the Fullscreen API to spoof the chrome of the entire desktop environment.

Re:Never saw that coming

[arglebargle_xiv]

Yes they are. The fact that they don't work is entirely different to the concepts within the scope of discussion.
Whether or not it works is irrelevant.

"Here's a solution. It's gonna be great, you'll love it. The fact that it doesn't work is irrelevant".

Wait.... Donald, is that you? Mr. President?

Re:Never saw that coming

[dgatwood]

It's not always a home ISP that's doing subtle MITM modification. It might be someone malicious in the same coffee shop as you.

Assuming DNSSec gets deployed as it should, someone in the same coffee shop will be able to passively snoop, but won't realistically be able to be in the middle of the communication unless the infrastructure is badly broken. After all, two hops over Wi-Fi should always realistically have higher latency than one hop plus a DHCP response. The biggest weakness is UDP-based DNS. For that matter, you could disable UDP-based DNS today, and you'd pretty much kill any hope of MiTM attacks by anybody other than your ISP. Arguably, you probably should.

Or it might be a government agency using the Fullscreen API to spoof the chrome of the entire desktop environment.

At that point, your endpoint is untrusted, so the communication is untrusted, period. There is no security mechanism that can have any real benefit if you cannot trust the browser itself or the operating system under it.

Re:Phishing is good

[dgatwood]

If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....

So no, Facebook is not succeeding as a replacement for the Internet—only for the very narrow slice of the Internet that was previously dominated by MySpace.

Re:Phishing is good

[dgatwood]

If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....

So no, Facebook is not succeeding as a replacement for the Internet—only for the very narrow slice of the Internet that was previously dominated by MySpace.

Re:Phishing is good

[dgatwood]

If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....

So no, Facebook is not succeeding as a replacement for the Internetâ"only for the very narrow slice of the Internet that was previously dominated by MySpace.

Re:Phishing is good

[dgatwood]

Oops. Slashdot's website broke badly. Submissions weren't showing up for minutes. And now I got three identical posts because the duplicate post detection also wasn't working. *sigh*. Sorry for the noise.

Re:Never saw that coming

[tepples]

Assuming DNSSec gets deployed as it should

Not likely as long as domain registrars that bundle DNS service charge extra for DNSSec. <cough>GoDaddy</cough>

someone in the same coffee shop will be able to passively snoop, but won't realistically be able to be in the middle of the communication unless the infrastructure is badly broken.

It is in fact "badly broken." If Starbucks Wi-Fi is "attwifi" (as it often is) and an attacker with two radios makes a bridge with the other end having the SSID "Starbucks", a first-time visitor won't know the difference and will likely choose to associate to the rogue AP.

At that point, your endpoint is untrusted

In the case of Fullscreen API, HTTPS strengthens the identity of the entity that made the endpoint appear less trusted. Under current policy, when an origin goes full-screen for the first time, the browser presents a "cancel or allow" prompt showing the hostname in big letters. But with cleartext HTTP, the user can't be sure that he's communicating with the intended origin instead of an active attacker.