Slashdot Mirror

← Back to Stories (view on slashdot.org)

Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com)

Posted by EditorDavid on from the let's-blame-Let's-Encrypt dept.

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "
The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."

15 of 207 comments (clear)

  1. Strawman criticism by QuietLagoon · · Score: 5, Insightful

    Kaspersky Labs needs to get some good press, so they create a strawman reason to criticize Let's Encrypt and then start blogging. As Let's Encrypt says, "its role is not to police the internet, rather its mission is to make communications secure." One has to wonder why Kapersky Labs has a problem with that.

  2. Nonsense by gweihir · · Score: 5, Insightful

    My boss recently got an ESL certificate from a reputable tier-1 vendor. The validation was a complete joke: A guy with bad English asked him some questions over the phone that anybody could have found the answers to with a bit of work. The only security in place for ESL certs is that they are not that cheap, but that does not help against a targeted attack, because they are not really expensive either.

    The bottom line is that certificates weakly ensure one thing: You are still talking to the same site on the next visit. They also ensure that small-time criminals will find it somewhat difficult to eavesdrop. And that is about it. In many cases, self-signed certificates will be more secure than that. The whole certificate-system is a bad joke, created by the utterly incompetent with too much trust and then corrupted by state-sponsored malicious actors. Incidentally, this is not a surprise. Basically all what is broken with the system now was predicted by perceptive people decades ago.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Re: agreed by Anonymous Coward · · Score: 5, Insightful

    That's a large part of why the CA model is broken. CAs shouldn't be competing at all; they're there to provide a service. Imagine if OpenPGP keyservers were competing... There's no reason for it unless you're a bad actor to begin with.

    What LE is doing has helped people see that a security cert isn't something you should pay for, and that being signed by a CA doesn't mean anything, especially with the shitty politics Google et al have been playing at the CA level.

    The well is poisoned, and the big boys are attacking the people who pointed it out.

  4. Follow the money by Scutter · · Score: 5, Insightful

    "We're mad because Let's Encrypt makes it way too easy for the plebs to get a certificate without paying hundreds or thousands of dollars per year to a CA."

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
  5. Re:Yes, but that's just a symptom of the problem. by king+neckbeard · · Score: 4, Informative

    The verification is performed by software, the same as any other CA. Less frequent renewals would not result in more through vetting.

    --
    This is my signature. There are many like it, but this one is mine.
  6. BS by duke_cheetah2003 · · Score: 5, Insightful

    Calling BS on this. There is nothing inherently wrong with issuing certs. Regardless of who issues those certs, they can only be used to create a secure identified connections between a user and a server.

    They definitely do not facilitate criminality any more than Apache2 does. This is just pure silliness. There's nothing wrong here. Bad guys can get certs from other sources just as easily as anyone else. They can get them from Let's Encrypt, too. So can everyone else. A certificate doesn't facilitate illegal activity. It's just for a secure connection.

    Something tell me there's more to this than simply crying wolf about bad guys getting certs easily. Someone obviously would prefer that web hosts, big and small, don't get cheap (or free) certs to secure their connections from prying eyes.

    While the justification might be 'bad guys are abusing this,' I'm still calling BS. Someone (or some *cough* three letter agency) is annoyed that people can easily secure their servers.

    I'd go as far as to say, Let's Encrypt is having precisely the effect it sought to have. More secure connections on all HTTP traffic across the web. Anyone can TLS up their servers now with very little effort. Good job, Let's Encrypt, you're having a profound and ultimately awesome effect on the web's privacy and shielding from prying eyes. And that effect is a good one, especially when people are crying 'omg it's too easy to get certs now!' Good. Nothing like a very secure connection to give the middle finger to three letter agencies.

    1. Re:BS by thegarbz · · Score: 4, Insightful

      Not only is it BS, it's the exact opposite.

      Having in the past gotten a DV certificate through a normal vendor and now getting them through LetsEncrypt, it is quite clear that the process for LetsEncrypt is far more robust (actual proof I have access to the server by modifying it's contents as part of the handshake) than what most other CA's offer which for DV is based on little more than faith, and for EV based on talking to someone in an Indian call centre who can't understand you anyway.

  7. Re: Green Bar is the probem. by Zero__Kelvin · · Score: 4, Insightful

    No. You have to explain to get you misinformed her. You have to tell her that what you initially told her was never true, and you had no idea what you were talking about.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  8. Re:Green Bar is the probem. by Gravis+Zero · · Score: 5, Informative

    I've spent better part of a day to explain to My Mom how to distinguish a safe website from unsafe one. You look at the Green Bar / Lock. Is it green? you are good to give them your name and CC details.

    Now I'm going to her and have to explain, that no, things have changed

    No, nothing has changed about what that green bar means: encrypted connection. You pushed a false idea on to your mother, an idea that companies planted and you blindly accepted.

    --
    Anons need not reply. Questions end with a question mark.
  9. Re:agreed by sexconker · · Score: 5, Insightful

    The fact that Chrome and FF use their own cert stores and update them unilaterally without the user ever knowing is absurd.

    The browser should use the cert store on the OS. And the OS should update the certs. (And when MS updates certs, it should optionally present detailed info to the user about changes.)

    The entire concept of CAs is built around trust in an environment where none of the actors and powers that be are trustworthy.

  10. Re: Green Bar is the probem. by Zero__Kelvin · · Score: 4, Informative

    The S stands secure and has always stood for that. Her CC number will be securely sent to the server in question. Again, LetsEncrypt changes nothing about how all this works. You have no clue. If she connects securely to trumpuniversity.com or does so through http she will get scammed either way. Read the hundreds of other posts here where everyone else already understands this. Time to admit to mom you aren't the ubergeek you let them think you are I'm afraid. Off you go now ...

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  11. Re: Green Bar is the probem. by svanheulen · · Score: 5, Informative

    You're making assumptions about what "secure" means in this context. It means the communications are secure from 3rd parties. That doesn't mean the website you're communicating with isn't evil. It never has.

  12. Re:agreed by Anonymous Coward · · Score: 5, Insightful

    Often the only indication the user has that they are being MITMed is precisely because the browser did not use the OS cert store.

  13. Re: Green Bar is the probem. by thegarbz · · Score: 4, Informative

    NBow I have to explain to her that 'S does not stand for Secure

    Of course it stands for "secure". You can rest assured in the comfort that when you type your Paypal password in at https://www.payypall.com/ I or anyone else other than the operators of the scam site are unable to see your password.

    Validation of companies was not part of getting an SSL certificate, not until 2005 anyway when the EV certificate was introduced. And it wasn't long after that browsers started displaying EV details differently which is why when I go to https://www.payypall.com/ I see a green lock, but when I go to https://www.paypal.com/ I see "Paypal Inc, [US]" written in the address bar.

  14. Re:Have two cert grades by thegarbz · · Score: 4, Interesting

    There is a solution to this: have two grades of certificates

    You're right. There is a solution to this. It was developed 12 years ago in the form of EV certificates and has been in use for a long while along with a far better indicator than the one you proposed:

    If you go to https://www.slashdot.org/ you will see a little green lock and the word "Secure"
    If you go to https://www.bankofamerica.com/ you will see a little green lock and the words "Bank of America Corporation [US]"

    No need for any fancy domain name URL checking.