During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word "PayPal" in the domain name or the certificate identity.
Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store.
Lynch's analysis comes to confirm some of the fears voiced as early as 2015, around Let's Encrypt's early launch phase.
Encryption and infosec experts warned that by providing free SSL certificates; phishers, tech support scammers, and other malware authors would flock to obtain free certificates and move their operations on HTTPS domains.
The first of these security incidents was a malvertising campaign that used Let's Encrypt certs, unearthed by Trend Micro in January 2016. Since then, there have been isolated cases, here and there, but nothing to hint at a mass abuse. Nevertheless, security researchers started spotting more and more of Let's Encrypt's certificates on malicious sites.
Even if not obliged by any standards, Let's Encrypt has always published certificate transparency logs. At the start of the month, the same Lynch analyzed these logs and discovered 988 Let's Encrypt certificates containing the word "PayPal" in the certificate information, with only four of these used for legitimate purposes.
After learning from his previous analysis, Lynch has fine-tuned his methods and unearthed numbers that not even the most gloomy Let's Encrypt critics were expecting.
Using data (not all publicly available) from Comodo's Certificate Search, the researcher was able to track all the Let's Encrypt SSL certs issued for various domains that also included the term "PayPal," a common target of many phishing sites, alongside Gmail, Google, Apple, eBay, or Amazon.
His findings reveal how phishers gradually tested if they could get, deploy, and keep hold of Let's Encrypt certificates for malicious websites.
Around October and November last year, the floodgates opened, and the number of Let's Encrypt SSL certificates issued for PayPal-themed phishing sites increased in a dramatic fashion.
"There does not appear to be any specific cause for the increase," Lynch noted. "It may simply be that it took some time for word to spread amongst the phishing communities and for technical expertise to be developed."
While Let's Encrypt issued some certificates for legitimate purposes, in most cases, just by looking at the hostname, the site's purpose is pretty clear, and you don't need to be a security researcher to figure it out.
While Lynch's analysis only focused on the usage of the PayPal word in Let's Encrypt's free certificates, there are thousands of other similar certificates issued for terms like AppleID, Gmail, and others, just as shady as the PayPal certs.
They don't amount to the same number of shady PayPal certificates because phishing and gaining access to PayPal accounts is a far much lucrative business, that involves direct access to funds, unlike other targets.
"Assuming that current trends continue, Let’s Encrypt will issue 20,000 additional “PayPal” certificates by the end of this year," says Lynch, brining the total up to 35,000 over the past two years.
The good news is that these phishing sites never live that long anyway. A phishing site only lasts around two days on average, according to a report from CYREN, before being flagged in Safe Browsing, or being taken down by its hosting company.
This report is consistent with reality, as Bleeping Computer's tests showed that most of the sites listed on Comodo's Certificate Search were already down or flagged by Safe Browsing.
Lynch, who points out the abuse of Let's Encrypt's infrastructure, doesn't blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks. This number is far smaller compared to misused Let's Encrypt certs.
Phishers don't target these CAs because they're commercial services, but also because they know these organizations will refuse to issue certificates for certain hot terms, like "PayPal," for example.
These CAs, even if not obligated by any standard or procedure, know that issuing these certificates will put users at risk.
Unfortunately, this isn't Let's Encrypt's philosophy, and it never was, for good reasons. Back in 2015, Let's Encrypt made it clear in a blog post it doesn't intend to become the Internet's HTTPS watchdog.
In an email to Bleeping Computer, Josh Aas, ISRG Executive Director at Let's Encrypt, reaffirmed the organization's belief in the same principles.
"CAs are not in a good position to act as content police, we don't have the information we'd need and our validation processes do not assert anything about website content safety," Ash told Bleeping. "If we did try to act as content police any actions we could take would be ineffective. Revocation is too slow and broken."
"We strongly recommend that people use products like Google Safe Browsing and Microsoft Smartscreen for phishing and malware protection as those products are much more effective than we could ever be in trying to protect people."
Reports from CYREN and Sucuri revealed that Safe Browsing is really efficient and fast at identifying these threats, an opinion also shared by several experts, who also agree that Let's Encrypt can't patrol the Internet based on assumptions.
Security researchers, like Scott Helme, agree with Let's Encrypt's mission statement of creating a "100% encrypted Web," even if this means supplying the bad guys with free HTTPS.
"One of the common suggestions here is that the CA, Let's Encrypt in this case, should be doing something about it," Helme wrote in a blog post earlier this month. "They should be actively trying to prevent the issuance of certificates to bad actors."
Sadly, this suggestion is not a valid one, as there are no rules in the CA community that force CAs to do so. The most basic and important check a CA must perform is to verify if the person asking for the SSL certificate is the owner of the domain he's asking the certificate for.
Implementing a rule that grants CAs the power to subjectively evaluate domains based on the look of their hostname or "possible" content that may be hosted on that site is not a good idea if we take into account other consequences, such as censorship and inability to review the CA's decision-making process.
The prevalence of phishing sites is well known, still being one of the most effective ways of compromising anything from online shoppers to government members.
While Let's Encrypt has reduced the costs of running an HTTPS website for phishing operators, they aren't the only ones to bear the blame.
Security expert Eric Lawrence also puts some of the blame on browser makers. For example, Internet Explorer doesn't actively check for certificate revocation, meaning if Let's Encrypt or other CA would revoke a certificate used on a phishing site, IE wouldn't even notice.
Similarly, constant UI changes in Google Chrome and Firefox in regards to HTTPS indicators have confused many users. Lawrence points out Google Chrome as the biggest offender.
In the image below, it's very hard to tell which is the real PayPal site and which one is the phishing site. Can you tell? The explanation is below the image.
Very few people know how to read the security indicators in Chrome, for the above screenshot. The real PayPal site is on the left. Because it uses a more secure SSL certificate, an EV (Extended Validation) certificate, Chrome will display the company's name in the URL bar.
On the other hand, the site on the right is a phishing site. It also uses a valid SSL certificate, but a DV (Domain Validated) certificate. DV certificates are easier to obtain.
Chrome doesn't care what's on the site or what's the certificate type. If the site has installed the SSL certificate in a correct way, it will show a "Secure" indicator in green, no matter its purpose.
The browser only cares that an encrypted connection exists between the user's computer and that server, regardless if it's a phishing site or a host for banking trojans.
After years of being told that HTTPS is good, most users are now accustomed to looking at the indicator, seeing green, and automatically "trusting" the site.
In reality, HTTPS means the connection is encrypted, with the key word being "connection." HTTPS is like a freshly paved highway. You can drive on a new highway and still reach a bad hotel.
These are some of the reasons why Let's Encrypt is not solely at fault for the large numbers of phishing sites, now protected by its certificates.
It was to be expected that malware authors, phishers, and tech support scammers would flock to the service, once they understood it was free, easy to use for non-technical users, and had featured automated validation process.
Nevertheless, this doesn't excuse Let's Encrypt's ignorance in front of blatant abuse. While it's mission statement to encrypt all the Internet is an admirable goal, when the number of shady domains using your certificates reaches the thousands range, maybe it's time to tweak some of your mode of operation.
Yet, this whole debate on what Let's Encrypt should do is akin to the discussions on gun laws in the United States. SSL certificates on phishing sites don't lose user data, users lose user data!