Cyber criminals abusing free Let's Encrypt certificates

Trend Micro researchers have identified a malvertising campaign targeting sites that use free Let's Encrypt certificates

Criminals abusing free Let's Encrypt certificates

Make security technology easier to use, and invariably someone will use it for criminal purposes.

The backers of the Let's Encrypt project wanted to make it easier for website owners to obtain and deploy certificates to encrypt HTTP traffic. The project started issuing free certificates as part of a public beta program in December. It hasn't even been two months and cyber criminals have already taken advantage of the project's free certificates and used them for illegitimate purposes.

"Any technology that is meant for good can be used by cyber criminals, and Let's Encrypt is no exception," Trend Micro fraud researcher Joseph Chen wrote on the TrendLabs Security Intelligence blog.

Trend Micro researchers uncovered a malvertising campaign on Dec. 21 that directed visitors to sites hosting the Angler Exploit Kit. It turned out the malvertisers had created subdomains under legitimate domains and pointed them to servers under their control. Traffic was protected with HTTPS using Let's Encrypt certificates specific to the subdomains, Chen wrote. In this case, the DV certificates from Let's Encrypt helped the subdomains, such as, and the criminals behind them "gain legitimacy with the public."

Let's Encrypt automatically issues domain-validated (DV) certificates to websites by checking the URL's phishing status against the Google Safe Browsing API. Once issued, Let's Encrypt does not monitor the certificates or take any action afterward. Even if Google later flags the domain as malicious, Let's Encrypt will not revoke certificates.

"It would be impractical and ineffective," said Josh Aas, executive director of the Internet Security Research Group. ISRG is the group managing the Let's Encrypt project.

Let's Encrypt will not be revoking those certificates issued to the subdomains used in the malvertising attacks, "but it looks like the sites in question have been taken down," Aas said.

CAs weeding out malicious sites?

Should certificate authorities cancel certificates issued to illicit parties after they have been used, as Chen argued in the blog post? Many security experts think so. In an analysis of phishing attacks from deceptive domains, Netcraft found that a significant number of them had valid digital certificates. Considering that users have been trained to look for HTTPS in the domain before submitting sensitive information online, the bad guys using real certificates make this practice irrelevant.

Making it easier for website owners to obtain and install certificates is supposed to lead to a more trustworthy Internet, as it would improve privacy and authentication online. However, more certificates in use means cyber criminals will try to keep up by using more certificates as well, said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, an enterprise certificate reputation provider.

However, Aas said the certificate ecosystem is not the appropriate mechanism for policing phishing and malware on the Web. CAs do not have sufficient ongoing visibility into sites' content, whereas organizations such as Google and Microsoft have infrastructure in place to identify and analyze every piece of content. "The fight against phishing and malware content is an important one, but it does not make sense for CAs to be on the front lines, at least when it comes to DV certificates," Aas wrote in a blog post back in October.

Browser makers have been building in multiple antiphishing and antimalware protections, which are "more effective and more appropriate" than anything CAs can do, Aas said.

Everyone plays a part?

When criminals can easily obtain certificates, it counteracts the whole purpose of using certificates to identify a site as trusted and legitimate. But the burden for identifying bad actors doesn't rest on any one entity. All critical players -- browser makers, CAs, security companies, and even users -- have to take an active role to stop these sites from succeeding.

Website owners need to have visibility over their own sites and domains and ensure new subdomains are not created without their knowledge. Users need to realize they can't blindly rely on the padlock icon or HTTPS in the domain to determine a site's trustworthiness. They also need to keep software up-to-date to minimize the likelihood of an exploit kit infecting their systems when they encounter a malicious site.

"A certificate authority that automatically issues certificates specific to these subdomains may inadvertently help cyber criminals, all with the domain owner being unaware of the problem and unable to prevent it," Trend Micro's Chen wrote. "Any technology that is meant for good can be abused by cyber criminals, and Let's Encrypt is no exception."

Stay up to date with InfoWorld’s newsletters for software developers, analysts, database programmers, and data scientists. • Get expert insights from our member-only Insider articles.