code everywhere
technology, web services and applications

Letsencrypt.org certs being used in phishing attacks

posted on October 1, 2016, 1:14 am in http

If you don't know about Let's Encrypt ( letsencrypt.org ) is a new certificate authority thats providing free certs.

The Problem

Phishing and scam websites try as hard as they can to look legitimate. And they'll using whatever tools are free. With Let's Encrypt SSL Certificates being free, they're starting to show up on many of these bad websites.

You can read their policy describing how they handle phishing and malware sites here letsencrypt.org/2015/10/29/phishing-and-malware.html . The summary is they won't do anything about it, and thats completely irresponsible.

making things worse

By giving out SSL Certificates, they are vouching for these sites, providing legitimacy. Refusing to take action after a site is reported makes them just as guilty as the scammer.

They say they use Google Safe Browsing API to vet domains, but thats only pushing the problem to someone else to fix.

possible solutions

Their process is automated, but some basic checking thru a domain blacklist should be able to spot the majority of offenders. The list could consist of common banks, email providers, paypal, credit card companies, etc.

The second safeguard could be a simple contact form on letsencrypt.org to report a domain. Google does it ( www.google.com/safebrowsing/report_phish/ ) as do many others, its easy and effective.

Remember, you can't trust a site just because you see the https and shame on letsencrypt.org for doing nothing about it.

recent posts

< back