Earlier this month, Let’s Encrypt announced a plan to introduce wildcard security certificates at the beginning of 2018. The free certificate authority said this was a direct response to requests from the overall CA community and will help created a fully encrypted web.
According to Josh Aas, executive director of the Internet Security Research Group: “Wildcard certificates are a commonly requested feature and we understand that there are some use cases where they make HTTPS deployment easier. Our hope is that offering wildcards will help to accelerate the Web’s progress towards 100% HTTPS.”
Let’s Encrypt’s announcement is certainly ambitious, encryption usage has dramatically increased over the last several years. Aas reports that Let’s Encrypt currently secures 47 million domains via their fully automated DV certificate issuance and management API. “This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Let’s Encrypt’s service became available in December 2015,” Aas writes.
"Let’s Encrypt’s introduction of free wildcard certificates is great for privacy, but a boon for cybercriminals,” says Kevin Bocek, chief security strategist for Venafi. “We have seen bad actors abuse Let’s Encrypt certificates before: more than 14,000 certificates were issued for PayPal phishing websites by Let’s Encrypt, a powerful example of how bad guys exploit Certificate Authority business processes.”
Unfortunately, wildcard certificates create specific challenges for organizations. As Nick Hunter, senior technical manager for Venafi, wrote in a recent blog post: “A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using a wildcard certificate on a publicly facing webserver, you can quickly secure unlimited subdomains that are all encrypted by the same certificate. Unfortunately, so can cybercriminals.”
Essentially, attackers can create sophisticated phishing websites using wild card certificates. By infiltrating an organization’s domains, cyber criminals can access privileges that would allow them to create unlimited domains. Distressingly, these domains and subdomains would appear to be valid because a wildcard certificate authenticates them. Users visiting the site may not realize they are on a phishing website because the legitimate wildcard certificate allows their browsers establish an HTTPS connection.
“Cybercriminals can create thousands of fake websites using Let’s Encrypt’s wildcard certificates, all with a seemingly trustworthy glowing green padlock in the web browser address field,” continues Bocek.
Ultimately, organizations must monitor the Internet and traffic for malicious certificates. “There’s no putting the Let’s Encrypt genie back in the bottle, but this means every organization could be a victimized by malicious websites designed to spoof their customers and partners,” concludes Bocek. “But there are options: Google’s Certificate Transparency initiative and other similar technologies allow organizations to spot fake or malicious certificates regardless of the CA.”
Are you taking steps to protect your organization from threats hiding in encryption?