35

I recently almost got caught by a phishing attempt, due to the use of a relatively convincing domain name and valid SSL certificate (specifically this website). When checking the certificate it turns out it was issued by Let's Encrypt. So I went there and as far as I understand the process to issue a certificate is automated - if you own a domain, you can get a certificate.

However isn't it a security issue and doesn't it go (at least partially) against the point of SSL certificates? Malicious websites can now look legitimate thanks to these certificates, which makes it a lot more likely that they will succeed. In my case I saw the green padlock on the URL and thought that all was good. Now it seems, due to this certificate issuer, users will be expected to click on that padlock and check who issued the certificate (and close the tab if it's from letsencrypt??).

So I'm wondering, given the security risk, why do browsers accept this certificate by default? I'm surprised especially that Chrome does given how careful Google is with security. Do they consider that letsencrypt is a good idea?

laurent
  • 751
  • 1
  • 8
  • 22
  • 46
    If you think normal (non-EV) SSL certificates from other authorities ever guaranteed anything more than LetsEncrypt then you might be in for a shock. Also: _"... users will be expected to ... check who issued the certificate"_ - No, users are (and always were) expected to check if they're actually visiting the intended domain, in addition to the padlock. – marcelm Nov 25 '16 at 15:20
  • 7
    You may also be surprised by a "flexible SSL" by Cloudflare CDN. – KnightHawk Nov 25 '16 at 15:53
  • 7
    I'd also add that the security benefit in ensuring encrypted connections are used with as many legitimate websites as possible far outweighs the risk of the _perceived legitimacy_ a minority of users may infer from the presence of a SSL certificate/green tick - a risk that still could happen when criminals buy certificates with stolen credit cards anyway. Given a deteriorating internet security situation and the ease of intercepting non-SSL data, an increase in SSL usage -https://w3techs.com/blog/entry/the_impact_of_lets_encrypt_on_the_ssl_certificate_market - can only be a good thing. – pwdst Nov 25 '16 at 19:12
  • What makes you believe your first link there is phishing? – rogerdpack Nov 25 '16 at 19:35
  • 1
    @rogerdpack - SSLShopper is legit, but the website `customs-tax.uk` that is shown there definitely looks phishy - they're asking for credit card details to process a tax refund, but none of the links in the header/footer work correctly. – Simon East Nov 25 '16 at 21:40
  • @rogerdpack: The link posted is not phishing, it seems to be for a site that checks TLS certificates. However, the site included in the URL for checking, https://customs-tax.uk/ , is certainly a phishing site. – sleske Nov 26 '16 at 00:16
  • 9
    There's a reason it's called "Let's Encrypt" and not "Let's Validate" – Nick T Nov 26 '16 at 00:37
  • 1
    *Malicious websites can now look legitimate* - **They always could, and they always did.** Many hundreds of certificates have been consistently issued every year. There's simply no way to assert all of these are used for "legitimate" purposes, and I've seen this go wrong time and time again. But great question, and outstanding answers here. – Marc.2377 Nov 26 '16 at 02:22
  • @KnightHawk well, the cloudflare cert does require that you have an actual account with cloudflare with a credit card on file--it's not nothing. – Craig Tullis Dec 01 '16 at 18:24
  • @Craig, I have a CloudFlare account with no credit card on file. I can use both their "flexible" and "full" SSL types. I am required (of course) to set the `nameservers` accordingly which does serve as a kind of validation. – KnightHawk Dec 01 '16 at 19:44

3 Answers3

130

I think you are misunderstanding what a SSL certificate actually certifies, and what it is designed to protect against.

A standard certificate only certify that the owner of the certificate actually controls the domain in question. So a certificate for g00dbank.com only certifies that the owner controls the g00dbank.com domain. It does not certify that the owner is a bank, that she is good, or that the site is in fact the well known Good Bank Incorporated.

So SSL is not designed to protect against phishing. Just because you see the green lock up in the left corner does not mean that everything is well. You also need to verify that you are on the correct website - that you are on goodbank.com (as opposed to the phishy g00dbank.com) and that goodbank.com is in fact the website of Good Bank Incorporated.

To make this easier for the average user, there is something called Extended Validation (EV) certificates. These also verify that you are the legal entity that you claim to be, by requiring you to do some paperwork. Most major browsers highlight them by displaying the name of the owner in the address bar.

So to get an EV certificate the phishers at g00dbank.com would have to start a real business (thereby leaving a paper trail), and even then they would probably not get one because their name is to close to a sensitive target.

Lets Encrypt does not issue EV certificates. They issue ordinary ones. But the phishers you encountered could have gotten a certificate from anywhere. In fact, as IMSoP points out in comments, the method Lets Encrypt uses is employed by many of the established CA:s as well, the only difference being that Lets Encrypt is more efficient and cheaper. So this has nothing to do with Lets Encrypt specifically, and blocking them would solve nothing.

Community
  • 1
Anders
  • 64,406
  • 24
  • 178
  • 215
  • 3
    This is a really good answer, but it might be worth adding a warning that even most EV cert providers don't reliably vet would-be spoofers and should not be relied on. The user still needs to make sure they are on the right site, most notably by typing in the domain themselves or using a bookmark rather than following links from emails. – Caleb Nov 25 '16 at 17:30
  • @Caleb For sites with EV certs I just check that the name (as opposed to the URL) is right, and that it's in the right country. But maybe I am not cautious enough. What kind of attack are you refering to when you talk about "spoofers"? – Anders Nov 25 '16 at 17:35
  • @Anders Symantec recently (a year ago) issued what they later alleged to be "testing", **EV** certificates for a handful of high-value domain names such as `www.google.com`. https://www.eff.org/deeplinks/2015/09/symantec-issues-rogue-ev-certificate-googlecom and https://security.googleblog.com/2015/09/improved-digital-certificate-security.html has some details, and there was quite a lot written about it in the security blogosphere at the time. – user Nov 25 '16 at 19:11
  • 13
    Also, it's worth clarifying / reiterating that one of the basic points of SSL / TLS / encryption is to prevent data from being intercepted and/or modified in transit and that the goal of Let's Encrypt is to increase the usage of this by removing the cost inhibitor. – mythofechelon Nov 25 '16 at 19:11
22

Why does your browser trust certificates from the Let's Encrypt initiative?

Just to make this part clear: Your browser/computer trusts these certificates, because it acknowledged the root CA "DST Root CA X3" and stored it in a list with trusted certificates. The CA "DST Root CA X3" again trusts Let's Encrypt and has signed their certificate.

Are free/cheap/easy-to-get certificates a security problem?

No.

Having a signed certificate or serving https does not imply that the website is malicious or not. It only proves that you connected to a server that has a valid and signed certificate for the domain.

Stefan Braun
  • 796
  • 5
  • 10
  • 1
    Free certificates is a security problem in some sense because when a commercial CA is compromised they lose trust, loss of trust deprives them from future profit. Free CAs lose almost nothing and earn almost nothing, so they are not forced to implement measures to prevent compromise and often have no money for them. – KOLANICH Nov 25 '16 at 23:54
  • 2
    In other words, an HTTPS certificate can verify that you really are connected to `stealyourmoney.scam` and not an impostor. Whether you *meant* to connect to `stealyourmoney.scam` at all (or that the site is by any standard "good" versus "bad") is outside the scope of HTTPS. – apsillers Nov 26 '16 at 00:25
  • 3
    @KOLANICH "commercial CA is compromised they lose trust, loss of trust deprives them from future profit" - in ideal world yes, but in practice many issuers are too big to fail. – Maciej Piechotka Nov 26 '16 at 02:43
  • @KOLANICH: Also, commercial CAs' practices are so bad that you can't even compare them with Lets Encrypt. – R.. GitHub STOP HELPING ICE Nov 26 '16 at 02:46
11

Certificate do not provide any more guarantee that what is in the certificate itself. In the case of Let's encrypt certificates, all that is guaranteed is that the server you are connected to belongs to the same entity that own the domain name you used to connect to it.

There is another class of certificate called "extended validation certificate" where the issuing CA do some more checks. Basically, the verify that the domain is own by an existing commercial entity. Browser will typically display such a certificate with a green indicator with more details (Chorme, for instance will add "the connection is secure and the company is known") to the description of the certificate.

Basically, the presence of a valid SSL certificate does not indicate that the target domain is safe. Even EV certificate do not tell you much (although it's a bit better).

Stephane
  • 18,557
  • 3
  • 61
  • 70