Skip to main content
banner image
venafi logo

More Wild Cards, More Problems: The Safest Bets for Keeping Threats Out of Encryption

More Wild Cards, More Problems: The Safest Bets for Keeping Threats Out of Encryption

let's encrypt wildcards
July 11, 2017 | Eva Hanscom

Earlier this month, Let’s Encrypt announced a plan to introduce wildcard security certificates at the beginning of 2018. The free certificate authority said this was a direct response to requests from the overall CA community and will help created a fully encrypted web.

According to Josh Aas, executive director of the Internet Security Research Group: “Wildcard certificates are a commonly requested feature and we understand that there are some use cases where they make HTTPS deployment easier. Our hope is that offering wildcards will help to accelerate the Web’s progress towards 100% HTTPS.”

Let’s Encrypt’s announcement is certainly ambitious, encryption usage has dramatically increased over the last several years. Aas reports that Let’s Encrypt currently secures 47 million domains via their fully automated DV certificate issuance and management API. “This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Let’s Encrypt’s service became available in December 2015,” Aas writes.

Unfortunately, cyber criminals have taken advantage of this uptick in encryption as well. Earlier this year Mozilla reported that half of the web traffic on FireFox was encrypted, meanwhile Zscaler revealed that 54% of the threats blocked by their product line hid in SSL traffic.

"Let’s Encrypt’s introduction of free wildcard certificates is great for privacy, but a boon for cybercriminals,” says Kevin Bocek, chief security strategist for Venafi. “We have seen bad actors abuse Let’s Encrypt certificates before: more than 14,000 certificates were issued for PayPal phishing websites by Let’s Encrypt, a powerful example of how bad guys exploit Certificate Authority business processes.”

Unfortunately, wildcard certificates create specific challenges for organizations. As Nick Hunter, senior technical manager for Venafi, wrote in a recent blog post: “A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using a wildcard certificate on a publicly facing webserver, you can quickly secure unlimited subdomains that are all encrypted by the same certificate. Unfortunately, so can cybercriminals.”

Essentially, attackers can create sophisticated phishing websites using wild card certificates. By infiltrating an organization’s domains, cyber criminals can access privileges that would allow them to create unlimited domains. Distressingly, these domains and subdomains would appear to be valid because a wildcard certificate authenticates them. Users visiting the site may not realize they are on a phishing website because the legitimate wildcard certificate allows their browsers establish an HTTPS connection.

“Cybercriminals can create thousands of fake websites using Let’s Encrypt’s wildcard certificates, all with a seemingly trustworthy glowing green padlock in the web browser address field,” continues Bocek.

Ultimately, organizations must monitor the Internet and traffic for malicious certificates. “There’s no putting the Let’s Encrypt genie back in the bottle, but this means every organization could be a victimized by malicious websites designed to spoof their customers and partners,” concludes Bocek. “But there are options: Google’s Certificate Transparency initiative and other similar technologies allow organizations to spot fake or malicious certificates regardless of the CA.”

Are you taking steps to protect your organization from threats hiding in encryption?

Like this blog? We think you will love this.
hands of a puppet master, pulling strings
Featured Blog

Reductor Malware Cleverly Manipulates TLS

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat