Steve Young - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: Let's Encrypt certificates offer pros, cons

Listen to this podcast

In this week's Risk & Repeat podcast, SearchSecurity editors discuss Let's Encrypt certificates and weigh the positives and negatives the free certificate authority provides.

Let's Encrypt was created to provide free and easy-to-use TLS and SSL certificates, but the organization has experienced some missteps lately.

The Let's Encrypt certificate authority, which was created in 2016 as a nonprofit by the Internet Security Research Group, last week disabled TLS-SNI-01 validation in its Automatic Certificate Management Environment (ACME) protocol after a serious vulnerability came to light. Security researcher Frans Rosen of Detectify discovered how to abuse the ACME TLS-SNI-01 specification and obtain Let's Encrypt certificates for domains that weren't under his control.

The organization is also dealing with the ongoing problem of cybercriminals and threat actors using Let's Encrypt certificates for phishing attacks and other threats. Research published last spring by The SSL Store, a certificate provider, showed that over a 14-month period, more than 15,000 Let's Encrypt certificates were issued for PayPal domains designed for phishing. And last month, cybersecurity vendor PhishLabs reported a dramatic increase in phishing sites using HTTPS, thanks in large part to obtaining free certificates from organizations like Let's Encrypt.

While Let's Encrypt issues certificates to legitimate organizations, malicious actors can also obtain certificates because the process is automated and has very few checks.

Are free certificate authorities a good idea? Should Let's Encrypt do more to stop abuse? What should be done to prevent threat actors from abusing Let's Encrypt certificates? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What has been your experience with Let's Encrypt?
it was ok I guess for a free cert, easy to setup and easy to renew, even automated renewal with a cron job. Primis by the way!
It is amusing that people want to associate Lets Encrypt with phishing as if they are responsible for defective browser security and poor user awareness. 
Two things, Greg. First, we did discuss on the podcast how much other parties were responsible for these phishing attacks. We didn't lump it at all Let's Encrypt's door. Second, what would you like the browsers to do, Greg? The LE certificates give these phishing sites a level of authenticness that they wouldn't normally have (and which security companies/experts *specifically* tell users to look for). So what should the browsers do?