An open letter posted by The SSL Store technical support manager Vincent Lynch this week calls on free certificate authority (CA) Let’s Encrypt to block SSL certificates containing the name “PayPal” because of their usage on malicious sites.
Lynch says he is not advocating for a broader content policing approach for Let’s Encrypt or any other CA, but that a block specifically limited to “PayPal” “is an easy, feasible, and effective measure against the most dangerous and malicious use of Let’s Encrypt certificates.”
According to Lynch, Let’s Encrypt has issued 988 certificates containing the name “PayPal” and all but four appear to be for malicious sites.
In a request to comment, a Let’s Encrypt spokesperson pointed The WHIR to a 2015 blog post written by Josh Aas, ISRG Executive Director, on the CA’s role in fighting phishing and malware.
Let’s Encrypt, Lynch says, “think it’s not a CA’s job to determine if the site requesting a certificate is safe or legitimate, and that even when one tries to, CAs aren’t very effective at blocking the ‘bad’ sites.”
“As a result, Let’s Encrypt forgoes the pre-issuance checks that CAs have traditionally used to block “high-risk” requests likely to be used for malicious reasons, such as phishing. Instead, Let’s Encrypt defers to services like Google’s Safe Browsing and Microsoft’s SmartScreen which identify and block dangerous sites at a different layer,” he says. “Most of the commercial CAs disagree with Let’s Encrypts position and this is a topic that is frequently debated. For more background on this topic, I suggest reading this great post from Eric Lawrence, which inspired this post.”
Lawrence identified 709 certificates containing “PayPal” in the hostname, up from 409 on Dec. 8, 2016. The post also identifies a number of other companies targeted by apparent phishing sites with Let’s Encrypt certificates, including “BankofAmerica”, which 14 certificates had been issued for. Lawrence notes that domain validated (DV) certificates require manual inspection to accurately identify the site owner, and that extended validation certificates have not been widely adopted.
Lynch acknowledges the likely use of misspellings and variations by phishing pages to try to fool victims, but says that “given the current state of user education,” certificates containing “PayPal” should be blocked by Let’s Encrypt.
“There is a future” Lynch says, “where users have a more nuanced, or at least more accurate understanding of what the padlock icon represents. Where 2FA is widely used. Where HTTPS adoption is so widespread that browsers can flip the paradigm of security UI.”
The discussion in the comments under Lynch’s post highlight several of the opposing positions in the debate within the industry about the roles of certificate authorities, hosts, browser vendors, and others.
In 2015, Trend Micro researchers discovered a malvertising campaign “in which a malicious actor created a subdomain of a legitimate website with a Let’s Encrypt certificate.”
Let’s Encrypt has issued approximately 30 million active certificates.