By Stefano Maffulli, Director of Community, DreamHost
There’s been a very recent call for Let’s Encrypt to stop issuing certificates containing the name “PayPal” because of the potential abuse for phishing attacks. The logic behind the call seems reasonable at first, but it highlights an issue in a world where secure certificates are free and plentiful: who should police the content of websites that choose to use secure certificates?
It’s a question that’s caused some debate in the world of security certificates lately, and one with no clear answer.
Should the burden of fraud and malware detection live with the certificate authorities? Or should they simply provide certificates and get the heck out of the way? We believe the latter is the better choice, because it’s the best way to help encryption spread across the web with as few barriers to entry as possible.
A much better approach is to ask browser developers to continue using the tools they’ve already got in place that warn users of reported trouble sites and accept reports of new sites with malware. Processes that are already working shouldn’t have to change just because encryption is involved. Let’s Encrypt is a certification authority that issues free certificates and, since its launch, has had tremendous success. We at DreamHost began issuing free Let’s Encrypt certificates in January 2016, and since then we’ve issued over 110k of them.
The author of the article argues that Let’s Encrypt certificates are being used to trick users; therefore, the certification authority should interpret intentions based on a string of characters. How that going to work in practice is not clear, though.
How can anybody decide that paypal.business.com is not a valid API endpoint? Or how about a certificate for domains that contain the word “paypal,” like boycott-paypal.com or paypalsucks.com? Why limit to PayPal anyway, when banks and insurance companies are often used as bait for phishing attacks, too?
Asking any certificate authority to act to prevent these types of phishing problems is barking up the wrong tree. A better place to attack this problem is closer to the users, at the browser level. Mozilla, Google, Microsoft, and Apple are the ones who can protect users and actively train them to recognize a forged site from a good one.
Lots can be done there. For example, there is a visible difference between a certificate issued via Let’s Encrypt on a random domain and PayPal’s own certificate. I discovered this only yesterday, I must confess. See the screenshots below of what happens when you click on the green padlock on Firefox for paypal.com and a demo site I set up for the occasion.
The difference is subtle, too subtle to notice at first: the browser is showing the words PayPal, Inc. (US) in green, near the green lock. That means that while both certificates are correctly encrypting web traffic, both are very different.
First, let’s look at the Let’s Encrypt certificate for my demo site. Notice the Common Name and Organization that issued the certificate (Let’s Encrypt Authority X3):
Now look at the common name of the authority that issued the certificate for PayPal: Symantec Class 3 EV
EV stands for “Extended Validation,” which means that PayPal had to jump through multiple hoops to demonstrate that they really were PayPal before the certificate was issued.
Did you know the difference? I didn’t (until very, very recently).
Let’s Encrypt and other certificate authorities cannot realistically police the certificates they issue. Remember, there are many parts to serving up a web page to users. It’s a process that also includes registrars, web hosts, and browsers.
Online security needs to be treated as a holistic issue; all parts need to function in a defensive manner. Browsers can definitely do a better job at informing users of the different levels of validations that certificates go through. Although that’s not a simple issue either, at least it helps educate the last line of defense: internet users.
About the Author
Stefano Maffulli is the Director of Community at DreamHost, a global web hosting, domain registrar and cloud services provider.