Skip to main content
banner image
venafi logo

More Wild Cards, More Problems: The Safest Bets for Keeping Threats Out of Encryption

More Wild Cards, More Problems: The Safest Bets for Keeping Threats Out of Encryption

let's encrypt wildcards
July 11, 2017 | Emil Hanscom

Earlier this month, Let’s Encrypt announced a plan to introduce wildcard security certificates at the beginning of 2018. The free certificate authority said this was a direct response to requests from the overall CA community and will help created a fully encrypted web.

According to Josh Aas, executive director of the Internet Security Research Group: “Wildcard certificates are a commonly requested feature and we understand that there are some use cases where they make HTTPS deployment easier. Our hope is that offering wildcards will help to accelerate the Web’s progress towards 100% HTTPS.”

Let’s Encrypt’s announcement is certainly ambitious, encryption usage has dramatically increased over the last several years. Aas reports that Let’s Encrypt currently secures 47 million domains via their fully automated DV certificate issuance and management API. “This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Let’s Encrypt’s service became available in December 2015,” Aas writes.

Unfortunately, cyber criminals have taken advantage of this uptick in encryption as well. Earlier this year Mozilla reported that half of the web traffic on FireFox was encrypted, meanwhile Zscaler revealed that 54% of the threats blocked by their product line hid in SSL traffic.

"Let’s Encrypt’s introduction of free wildcard certificates is great for privacy, but a boon for cybercriminals,” says Kevin Bocek, chief security strategist for Venafi. “We have seen bad actors abuse Let’s Encrypt certificates before: more than 14,000 certificates were issued for PayPal phishing websites by Let’s Encrypt, a powerful example of how bad guys exploit Certificate Authority business processes.”

Unfortunately, wildcard certificates create specific challenges for organizations. As Nick Hunter, senior technical manager for Venafi, wrote in a recent blog post: “A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using a wildcard certificate on a publicly facing webserver, you can quickly secure unlimited subdomains that are all encrypted by the same certificate. Unfortunately, so can cybercriminals.”

Essentially, attackers can create sophisticated phishing websites using wild card certificates. By infiltrating an organization’s domains, cyber criminals can access privileges that would allow them to create unlimited domains. Distressingly, these domains and subdomains would appear to be valid because a wildcard certificate authenticates them. Users visiting the site may not realize they are on a phishing website because the legitimate wildcard certificate allows their browsers establish an HTTPS connection.

“Cybercriminals can create thousands of fake websites using Let’s Encrypt’s wildcard certificates, all with a seemingly trustworthy glowing green padlock in the web browser address field,” continues Bocek.

Ultimately, organizations must monitor the Internet and traffic for malicious certificates. “There’s no putting the Let’s Encrypt genie back in the bottle, but this means every organization could be a victimized by malicious websites designed to spoof their customers and partners,” concludes Bocek. “But there are options: Google’s Certificate Transparency initiative and other similar technologies allow organizations to spot fake or malicious certificates regardless of the CA.”

Are you taking steps to protect your organization from threats hiding in encryption?

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more