LetsEncrypt: Secure, But Not Secure Enough

There’s a new Certificate Authority (CA) in town, and they are enjoying quite a large—and diverse—audience.

Free, automated, and open for all to leverage, LetsEncrypt provides a set of tools that quickly and efficiently turns HTTP web services into HTTPS web services, giving website owners a painless way to provide end-to-end encryption. Now, it’s easy to show website visitors the green padlock icon to the left of the URL in their browser, signaling that the connection was not tampered with. This visual indicator gives many visitors a sense of security, as it conveys the connection from the browser to the web server is secure and encrypted to its intended destination. But unfortunately, what’s ‘easy for everyone’ is also easy for malicious actors like phishers and other attackers, who are moving to HTTPS unopposed.

Before the introduction of low-cost and free certificate authorities, there was very little incentive for attackers to use SSL for several reasons, the primary of which were high cost and complexity (also the main reason there wasn’t a widespread adoption of SSL in general). But the goal of service providers like LetsEncrypt is to simplify the encryption process so that all communication can be encrypted, nefarious or not. Part of the LetsEncrypt certification process is validating that a user controls the server where the content is hosted as well as validating the DNS/hostname of the server. The reason for this validation is to ensure the domain and host are owned by the same party. However, this process makes it incredibly easy for an attacker to certify compromised hosts, as they simply need to control both the domain and host. As evidenced by the domain shadowing problem that we talked about last week, this is a fairly common issue.

In fact, RiskIQ blacklisted 1800 subdomains with certificates signed by LetsEncrypt and saw significant overlap between these hosts in Google Safe Browsing. In several cases, a “secure” connection actually connected to a phisher or malware. Essentially, you can no longer assume that HTTPS means friendly, and the green padlock no longer means that your data cannot be taken by a threat actor. Instead, it’s definition has been downgraded to a secure connection established with a server, malicious or not. Sadly, many websites that are dedicated to educating the public on phishing overlook this fact and still refer to the presence of HTTPS as an indicator that a site is safe. Even a publication by implies that https sites are an indicator of legitimacy. What can you do to protect yourself?

Beef Up Your Security — Personal firewalls and security software packages (with anti-virus, anti-spam, and spyware detection features) are a must-have for those who engage in online financial transactions. Make sure your computer has the latest security patches, and make sure that you conduct your financial transactions only on a secure web page using encryption. You can tell if a page is secure in a couple of ways. Look for a closed padlock in the status bar, and see that the URL starts with “https” instead of just “http.”

Security Tip: Some phishers make spoofed websites which appear to have padlocks. To double-check, click on the padlock icon on the status bar to see the security certificate for the site. Following the “Issued to” in the pop-up window you should see the name matching the site you think you’re on. If the name differs, you are probably on a spoofed site.

It's great that LetsEncrypt exists, and users should be encouraged to encrypt their websites. It's also a great sign that people are moving toward encrypted channels for communication for one of the most commonly used internet protocols. But at the end of the day, encryption does not necessarily equal security, even if this open availability of security tools is a move in the right direction.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor