In this week’s Risk & Repeat podcast, SearchSecurity editors discuss Let’s Encrypt certificates and weigh the positives and negatives the free certificate authority provides.
Let’s Encrypt was created to provide free and easy-to-use TLS and SSL certificates, but the organization has experienced some missteps lately.
The Let’s Encrypt certificate authority, which was created in 2016 as a nonprofit by the Internet Security Research Group, last week disabled TLS-SNI-01 validation in its Automatic Certificate Management Environment (ACME) protocol after a serious vulnerability came to light. Security researcher Frans Rosen of Detectify discovered how to abuse the ACME TLS-SNI-01 specification and obtain Let’s Encrypt certificates for domains that weren’t under his control.
The organization is also dealing with the ongoing problem of cybercriminals and threat actors using Let’s Encrypt certificates for phishing attacks and other threats. Research published last spring by The SSL Store, a certificate provider, showed that over a 14-month period, more than 15,000 Let’s Encrypt certificates were issued for PayPal domains designed for phishing. And last month, cybersecurity vendor PhishLabs reported a dramatic increase in phishing sites using HTTPS, thanks in large part to obtaining free certificates from organizations like Let’s Encrypt.
While Let’s Encrypt issues certificates to legitimate organizations, malicious actors can also obtain certificates because the process is automated and has very few checks.
Are free certificate authorities a good idea? Should Let’s Encrypt do more to stop abuse? What should be done to prevent threat actors from abusing Let’s Encrypt certificates? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.