Steve Young - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: Let's Encrypt certificates offer pros, cons

Listen to this podcast

In this week's Risk & Repeat podcast, SearchSecurity editors discuss Let's Encrypt certificates and weigh the positives and negatives the free certificate authority provides.

Let's Encrypt was created to provide free and easy-to-use TLS and SSL certificates, but the organization has experienced some missteps lately.

The Let's Encrypt certificate authority, which was created in 2016 as a nonprofit by the Internet Security Research Group, last week disabled TLS-SNI-01 validation in its Automatic Certificate Management Environment (ACME) protocol after a serious vulnerability came to light. Security researcher Frans Rosen of Detectify discovered how to abuse the ACME TLS-SNI-01 specification and obtain Let's Encrypt certificates for domains that weren't under his control.

The organization is also dealing with the ongoing problem of cybercriminals and threat actors using Let's Encrypt certificates for phishing attacks and other threats. Research published last spring by The SSL Store, a certificate provider, showed that over a 14-month period, more than 15,000 Let's Encrypt certificates were issued for PayPal domains designed for phishing. And last month, cybersecurity vendor PhishLabs reported a dramatic increase in phishing sites using HTTPS, thanks in large part to obtaining free certificates from organizations like Let's Encrypt.

While Let's Encrypt issues certificates to legitimate organizations, malicious actors can also obtain certificates because the process is automated and has very few checks.

Are free certificate authorities a good idea? Should Let's Encrypt do more to stop abuse? What should be done to prevent threat actors from abusing Let's Encrypt certificates? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience with Let's Encrypt?
Cancel
it was ok I guess for a free cert, easy to setup and easy to renew, even automated renewal with a cron job. Primis by the way!
Cancel
It is amusing that people want to associate Lets Encrypt with phishing as if they are responsible for defective browser security and poor user awareness. 
Cancel
Two things, Greg. First, we did discuss on the podcast how much other parties were responsible for these phishing attacks. We didn't lump it at all Let's Encrypt's door. Second, what would you like the browsers to do, Greg? The LE certificates give these phishing sites a level of authenticness that they wouldn't normally have (and which security companies/experts *specifically* tell users to look for). So what should the browsers do?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close