A security researcher found a high rate of abuse of domain validation SSL certificates for use in phishing campaigns,...
but certificate authorities may not be capable or willing to police this malicious behavior.
Let's Encrypt issued more than 15,000 domain validation (DV) certificates to websites containing the name "PayPal" in the domain. Vincent Lynch, senior security analyst at The SSL Store, said "more than 99%" of these sites had the intent of running phishing schemes and suggested that Let's Encrypt -- a free and automated certificate authority (CA) and competitor of The SSL Store -- had a duty to revoke the SSL certificates or ban the users to stop the malicious behavior.
Lynch admitted he never directly contacted Let's Encrypt about the issue, but Let's Encrypt responded to the research during an interview with Josh Aas, executive director at Let's Encrypt, which was published in New York Magazine. In that interview, Aas said that the company couldn't police such malicious activity due to a lack of resources and focus on automation, but also did not want to step in because of censorship concerns.
Aas told SearchSecurity Lynch was asking Let's Encrypt to block DV certificates from being issued to domains containing the word "PayPal," but Aas said it was "obvious it won't stop there -- sooner rather than later we'd end up blanket blocking hundreds of words in domains and that's not a road we even want to start down."
Aas also pointed out that this is an issue he has been dealing with for years and shared a link to a 2015 blog post where he explained Let's Encrypt's position on whether it should police content.
"Let's Encrypt is going to be issuing DV certificates. On a technical level, a DV certificate asserts that a public key belongs to a domain -- it says nothing else about a site's content or who runs it," Aas wrote in the blog post. "DV certificates do not include any information about a website's reputation, real-world identity, or safety. However, many people believe the mere presence of DV certificate ought to connote at least some of these things."
Lynch told SearchSecurity he agreed that CA policing "is often too aggressive" and admitted it could be a "significant burden" on Let's Encrypt, but had conflicting feelings about the view that "the only point of a DV certificate is to connect a registered domain name to a cryptographic key."
"[Let's Encrypt is] right when you only consider the purpose of the SSL/TLS protocol. But most CAs think you should go further and filter out malicious sites -- sort of applying a 'common sense' rule," Lynch said. "Prior to Let's Encrypt, all the major CAs agreed that malicious use was an issue and they worked to prevent it. Now, in the last 12 months, Let's Encrypt has grown to become one of the biggest (if not the biggest) CA and is using that position to bring some major change to established precedent."
Flaws in the DV certificate system
The problem seems to be inherent to DV certificates because they need the lowest level of validation in order to be issued, requiring only that the owner of a domain is able to respond to communication (most often email) and approve the request for a certificate. Extended validation certificates and organization validated certificates have higher requirements, including legal proof of the identity of the entity controlling the domain.
Because of this low bar of authentication, Let's Encrypt built its service on being free and using automation to provide DV certificates quickly and easily. However, this also means Let's Encrypt doesn't have the staff or resources to investigate potential abuse.
"We don't have the resources to do so if we wanted to, and if we did take any action against suspected phishing and malware sites it would be highly ineffective," Aas said. "We also don't want to be in a position of censorship. We strongly recommend that people use products like Google Safe Browsing and Microsoft SmartScreen for phishing and malware protection, as those products are much more effective than we could ever be in trying to protect people."
Danny Rogers, CEO and co-founder of Terbium Labs, said this lack of oversight is a fundamental problem with DV certificates.
"This was the original reason behind things like PGP crypto parties, and it's why certificate vendors like Entrust require all kinds of manual verification in order to receive certs. It's also why they cost money -- to cover the resources required to do that verification," Rogers told SearchSecurity. "The short answer is, yes, DV certificates should require more vetting, but how to accomplish that without creating a digital divide is an enormous, open question."
Scott Petry, co-founder and CEO of Authentic8, said it seemed like bad practice to issue DV certificates to malicious sites, but said the core issue was a misunderstanding of what a certificate does.
"DV certificates provide very little validation, [only] that a host is associated with a domain. There is little oversight here, but that's not the core issue. The core of the issue is that people assume too much when a DV cert is approved. The nuance of the DV cert versus a higher level cert is lost on the user," Petry told SearchSecurity. "When a user sees HTTPS and the green checkbox, they assume they're secure. But that's not an argument that the DV cert isn't valid. It would be easier to misrepresent a domain affiliation without the DV and fewer sites would be moving the HTTPS."
Lynch said understanding what the HTTP and HTTPS symbols in a browser mean is key to the entire problem.
"Right now, HTTP is 'normal' and gets no indicator, and HTTPS is 'good' and gets the padlock. Sometime in the future [Google Chrome] will flip it so HTTP is 'bad' and gets a negative indicator to indicate risk, and HTTPS will be 'normal' and have no indicator. When a browser stops actively affirming the security of HTTPS, it means you can set the bar lower, if that makes sense," Lynch said. "I think Let's Encrypt is mainly thinking about the future, while the other CAs are thinking about the present."
Johan Nestaas, threat researcher at RiskIQ, said the "green lock issue is the worst" and said the solution is simply the need for better educated users.
"The conventional wisdom on phishing over the years has been: Look up at the URL bar to see if the site is safe. CAs used to be far more strict and actually call the owner of the site and have them prove they're a real business. Today, browsers don't seem to distinguish the different levels of authenticity or identity, which is becoming more and more of a problem," Nestaas told SearchSecurity. "When it comes to privacy of communication, Let's Encrypt is great. That's why most people are very pro-LE. It's important, but users need to be educated about what LE does and doesn't do. Although they can make a best effort at preventing phishers and scammers, they will never completely solve that."
Aas said that in a world where HTTPS is expected or enforced by browsers "taking away a certificate would effectively shut down a site," making CAs gatekeepers for the web, but Aas believes "CAs would make terrible gatekeepers for the web; they're just not equipped for that role."
"Nobody wants to make life easier for malicious actors, but the actions some people propose we take would be ineffective, wasteful, architecturally ill-conceived, and potentially hurt innocent users. Most browser UIs misrepresent this to users, and historically CAs have implied that certificates represent more about site safety than they actually do," Aas said. "It's true that HTTPS is not universally required by browsers yet, but there are already use cases where HTTPS is effectively required by browsers or the law. It is our position that every site needs HTTPS now."
Learn more about whether Google's Certificate Transparency tool can prevent certificate abuse.
Find out how to buy digital certificates for your enterprise.
Get info on how to manage certificate authority risk.