In the span of a year, Let's Encrypt managed to make people across the Internet feel safe on phishing sites

Mar 27, 2017 22:23 GMT  ·  By

Let's Encrypt, a free and open Certificate Authority, has issued close to 15,000 certificates containing the term "PayPal" for phishing sites. 

The discovery was made by encryption expert Vincent Lynch, who says 96.7% of the 15,270 security certificates featuring the term "PayPal" issued by Let's Encrypt in the past year have been for phishing sites. The highest density of certificates was issued starting in November 2016, data shows.

Let's Encrypt hasn't been around for very long. In fact, it entered public beta back in December 2015 and was out of beta by April. The idea behind the service is to encrypt websites and serve them over TLS in order to protect users' data from eavesdroppers. The point of these certificates is to reassure visitors of the webpages that the sites are safe. By issuing certificates to phishing sites, Let's Encrypt validated those websites.

"Despite the concerns of many around the industry, Let's Encrypt's stance is in full compliance with industry standards. Regardless, that policy in combination with offering free certificates does create a very attractive environment for phishers," Vincent Lynch notes about the service.

Good idea, but taken advantage of

The report comes after a few weeks ago Lynch asked Let's Encrypt to stop issuing PayPal certificates because they were being used for phishing purposes. At the time, his estimates put the number of certificates containing the term PayPal at under 1,000. Obviously, now that his full investigation has been completed, the situation is way worse.

"The various initiatives encouraging HTTPS are likely to appeal to phishers as well. There are a number of performance benefits (such as HTTP/2) only available to sites using HTTPS. In addition, sites using valid SSL certificates are given trusted UI indicators by browsers (the padlock icon in all browsers, the 'Secure' label in Chrome) which make a phishing site look more legitimate," Lynch notes in his report.

In a statement received by Softpedia, Ilia Kolochenko, CEO of web security company High-Tech Bridge, says that Let's Encrypt should have foreseen the massive abuse its service would have and implemented at least some basic verifications, such as refusing SSL certificates for domains containing popular brand names.

"The idea of encrypting all web traffic remains questionable, as it allows malware to easily bypass various security mechanisms more efficiently, causing huge damage to the end users and companies. I am quite sure that if we will see how many of Let’s Encrypt SSL certificates are used by malware to exfiltrate stolen data - results will be pretty scary. Therefore, it’s difficult to predict how Let’s Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer," Kolochenko said.