Let’s Encrypt is the largest certificate authority by volume doling out more than 100,000 free domain certificates a day. The non-profit fulfills a noble mission of securing website communications that is applauded across the internet; it has raised the bar on SSL and TLS security, issuing 100 million HTTPS certificates as of June 2017.
However, despite industry accolades by privacy activists and praise from those in the security community for its mission, some critics are sounding alarm bells and warning that Let’s Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place.
The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls.
“Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA, without realizing that these are just domain validation certificates with no assurance about the identity of the organization that owns the site,” said Asif Karel, director of product management at Qualys.
Critics do not contend Let’s Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let’s Encrypt could do a better job vetting applicants to weed out bad actors.
“Let’s Encrypt can absolutely be abused,” said Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let’s Encrypt. “But so can’t any other certificate authority. People act like Let’s Encrypt is the first CA to be abused. This is preposterous.”
Let’s Encrypt Should Lead—Or Should It?
Domain validation certificates are a bare-bones solution for securing communications between a web browser and a server using SSL/TLS encryption. Let’s Encrypt is an automated self-serve system that only checks that an applicant has control over a domain before issuing a free certificate. It’s a system ripe for abuse when issuing domain validation certificates, experts say.
Domain validation certificates are not to be confused with extended validation and organizational validation certificates. These higher-level certificates used by banks, insurers and ecommerce sites require extensive vetting of applicants to ensure sites are who they say they are. Besides the green HTTPS shown in browsers, these higher-level certs can also show the company’s name and in additional to a wealth of data about the website. Let’s Encrypt only issues the basic domain validation certificates. Commercial certificate authorities issue all three tiers, and also are not required to do extensive vetting of domain validation applicants.
“I think the security problem is within the authentication process of getting a (domain validation) certificate. All that’s being done is saying, ‘Okay, here I have a domain.’ I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them,” said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm.
Jett and others applaud the accomplishments of Let’s Encrypt, but believe the organization, founded by Mozilla, Cisco and the Electronic Frontier Foundation, is in a unique position to take a leadership role that could be used to crack down on certificate abuse when it comes to better vetting of applicants in order to weed out criminals. Let’s Encrypt has argued vetting 100,000 domain validation applications a day is not feasible. It adds that there is no requirement on any certificate authority to vet this type of certificate and it would be unfair to single out Let’s Encrypt.
The Wildcard is Wildcard Certificates
That vocal chorus is growing louder, however, with Let’s Encrypt latest move to introduce wildcard certificates. Starting in January 2018, Let’s Encrypt said it will introduce wildcard certificates to companies. That means anyone with a domain such as “example.com” can now create an endless number of wildcard sub-domains such as “one.example.com” and “two.example.com” and so on.
“With wildcard certificates, hackers can now easily change the hostnames for their phishing sites without needing to change the certificate, making man-in-the-middle attacks even more difficult to detect,” Karel said. “The concern is that the bad guys may utilize these certificates far more frequently than the good guys.”
The introduction of wildcard support by Let’s Encrypt dovetails with its introduction of the ACME v2 API endpoint protocol and framework that supports it. Inception of ACME v2 was spearheaded by Let’s Encrypt and will be standardized by the Internet Engineering Task Force.
The ACME v2 protocol, is a medium for subscribers to acquire and manage certificates, and will build off the CA’s Automatic Certificate Management Environment (ACME) v1 protocol API. From an end-users standpoint ACME v2 is transparent. Technically ACME v2 adheres to web standards and adds support for wildcards to be deployed and managed by any certificate authority.
The fear many in the certificate authority community say is that these wildcard domains will make it easier for bad guys to generate endless numbers of malicious domains and at the same time make it harder for good guys to keep track of them.
Aas maintains that wildcard domains aren’t new, rather Let’s Encrypt is making it easier for companies to support it. “Bad guys have been using wildcards for years. There is nothing new here, except for the fact Let’s Encrypt is issuing wildcards and that is somehow changing things. It’s not.”
Open Door Invites Critics
Aas said that because Let’s Encrypt maintains a high level of transparency it has opened up itself to both criticism and praise.
Unlike most commercial certificate authorities that do not make available a list of who they issue certificates to, Let’s Encrypt does. That’s a boon for security experts that can use tools such as the Comodo SSL Analyzer to scour millions of certs for potential rogue certificates used by phishers or hackers. Using tools like this, researcher Vincent Lynch, encryption expert for The SSL Store, found more than 14,766 certificates were issued for PayPal phishing websites by Let’s Encrypt in a 12-month period.
Aas points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues.
“When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records,” he said.
Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don’t want to broadcast the names of their servers.
“That is a legit argument, but this is a system the public needs to trust,” Aas said. “If you are hiding data from the public, how is the public supposed to protect the system?”
“The reason people treat us like a punching bag is that we are big and we are transparent. It’s very easy to get data about what we do so it’s easy to construct an argument. The other CAs are either not as big or they aren’t as transparent. They simple don’t have as many examples for people to use,” Aas said.
However, with wildcards certificates, the job of ferreting out bad domains gets harder. That’s because a criminal can get a wildcard certificate for an innocuous domain such as “OfficeSystems2017.com” and create an endless number of wildcards such as “payment.OfficeSystem2017.com” or “login.OfficeSystem2017.” That makes it harder to detect when people setup malicious sites because the full site address isn’t in the searchable certificate database.
Vetting Certificate Applicants an Industry Problem
As with domain validation certificates, wildcard certificates have been available for good and bad. Let’s Encrypt is simply democratizing the access via the introduction of ACME v2 and its platform, said Plixer’s Jett.
“Wildcards are not a big deal,” Jett said. “Once you have a validated domain, how much does it really matter what you append to the front of that domain? It doesn’t matter. It’s within the vetting that the problem exists. And Let’s Encrypt can’t be held responsible for a lack of industry rules around that.”
Still, some certificate experts interviewed for this story said if Let’s Encrypt has the clout to push ACME v2, maybe it could take a leadership role in beefing up vetting of domain validation certificate applicants.
Other argue the solutions needs to be technical, for example the use of deep packet inspection used in conjunction with next-generation firewalls in order to detect malware hidden inside of SSL/TLS-encrypted web sessions. A report by NSS Labs revealed a 72 percent increase in the number of attempts where SSL/TLS-encrypted malware was used against firewalls from 2015 to 2016.
“Many cloud-based and on-premise DDoS prevention systems do support decrypting SSL connections for inspection. Without this visibility, an attacker could slip encrypted Layer-7 attack traffic past the DDoS prevention system,” said Jimmy Graham, director of product management at Qualys.
Others argue for increased support for client-side solutions such as Google’s Safe Browsing API or Google’s Certificate Transparency initiative that are able to spot a malicious site regardless of the domain’s certificate.
“To me it feels like the argument we’ve seen a lot in the U.K. recently about encrypted messenger applications like Signal,” said Scott Helme, security researcher in a blog post defending Let’s Encrypt. “The app is free and widely available so that as many people as possible can use it. With this comes the unfortunate situation that there are undoubtedly some unpleasant characters using this to communicate about unsavouy things.”
He argued if encryption is to be available to all then that includes the small percent of bad actors. “I don’t think it’s for Signal, or Let’s Encrypt, to decide who should have access to encryption,” he wrote.