In late March, encryption experts affiliated with the SSL Store released a report on fraudulent certificates issued by Let’s Encrypt. According to researcher Vincent Lynch, Let’s Encrypt issued 15,270 certificates containing the word “PayPal” between January 1st, 2016 and March 6th, 2017. However, Lynch writes: “based on a random sample, 96.7% of these certificates were intended for use on phishing sites.”
As I mentioned in a previous blog post, encryption adoption is certainly on the rise. In fact, the Let’s Encrypt issued certificates to over 21 million websites last year. Encryption usage is often seen as a positive security step, but the reality is not so clear. As Lynch puts it: “encrypting everything includes the bad sites, and the widespread use of HTTPS on malicious sites has been a concern for some.”
Simply put: as encryption becomes more prevalent, so do the cyber criminals who abuse it. When Mozilla reported that half of the web traffic on FireFox was encrypted, Zscaler revealed that 54% of the threats blocked by their product line hid in SSL traffic.
According to Kevin Bocek, chief security strategist for Venafi: “As the speed of certificate issuance accelerates and hackers automate their attacks, the risk for malicious certificates will continue to increase. This problem will only get worse."
Now, Let’s Encrypt is not the only Certificate Authority facing these kinds of issues. “Everyone has been trained to look for the padlock in their browser – cyber criminals are catching up and using the power and trust of digital certificates against us,” says Bocek. “This issue, however, is not limited to just Let’s Encrypt. Many other CAs have been challenged to stop fraud.”
So how can organizations protect themselves? Bocek recommends enterprises use technologies like Certificate Reputation to identify machines using malicious or rogue certificates: “Certificate Reputation uses data from Certificate Transparency logs, along with analytics and machine learning, to score certificates. Certificate Reputation services also help enterprises identify certificates issued in their own name, whether they’re purchased on the inside by marketing or obtained fraudulently by cyber criminals.”
Ultimately, encryption is a tool. It is not inherently good or bad. And its success as a tool is dependent on the user. Organizations can easily utilize encryption to make themselves and their ecosystems safer, but they must take additional steps to protect themselves from abuse.
What steps do you take to protect yourself from fraudulent certificates?