Skip to content

Let’s Encrypt and Comodo targeted by Phishers for TLS certs

A netcraft report highlights that both Let’s Encrypt and Comodo have been issuing thousands of domains that in some form or the other contain the words “apple”, “paypal” or “ebay” in them, and that virtually all of these domains are being used for phishing or other fraudulent activities.

Netcraft provides a metric called “Deceptive Domain Score“, and uses the opportunity to promote this service of theirs, requesting that certificate authorities implement a similar service.

In each of these examples above — and in the other statistics referenced above — the certificate authority had sight of the whole hostname that was blocked. These examples did not rely on wildcard certificates to carry out their deception. In particular, some of these examples (such as update.wellsfargo.com.casaecologica.cl) demonstrate that the certificate authority was better placed to prevent misuse than the domain registrar (who would have seen casaecologica.cl upon registration).

The two services are attractive to phishers, because they offer TLS certificates for free and through an API, with a very limited screening process. Both services are using the Safe Browsing API to check if the domain being certified does contain malware, but because it usually does not at the time the cert is being issued this is pointless. Netcraft would rather have the CAs buy their Deceptive Domain Scoring service instead.

Published inHackerterrorcybercyber

6 Comments

  1. In my opinion, this check should be done on the level of domain registration services, not the TLS issuing services.

    • kris kris

      See the article. Domain registration has even less visibility than the CA. In a way, the safe-browsing API is not the wrong way to solve this. It’s just the text “secure” next to the green lock that gives the wrong message. “authenticated and encrypted” is not “secure” is not “trustworthy”.

  2. Rudolf Polzer

    “A netcraft report highlights that both Let’s Encrypt and Comodo have been issuing thousands of domains that in some form or the other contain the words “apple”, “paypal” or “ebay” in them, and that virtually all of these domains are being used for phishing or other fraudulent activities.”

    Such as the domain of that ebay pirate, “thepiratebay”? 🙂

    Or, Appleton Farms?

    Yes, non-EV just certifies domain ownership. Which is why it’s called DV – domain validation. If we want to push against plaintext HTTP, we must allow HTTPS with DV for everyone – and simply not consider it secure beyond “this actually is the domain you’re talking to”.

    • kris kris

      That’s not what the word “secure” shown next the green lock communicates.

      • Pascal

        Some say the lock symbol is a shopping bag. 😉

        Speaking of HTTPS: when is this blog going to support it?

        • kris kris

          When I get around to automating the LetsEncrypt stuff, and integrate it into the Ansible setup for the blog VM.

Leave a Reply

Your email address will not be published. Required fields are marked *