1. 15

I think that this is something we netizens can deal with. This is one bad actor compared to the incredible number of other sites that have finally been encrypted. I expect that as Let’s Encrypt is used more we’ll see more of this, but it’ll always be a small percentage.

New lesson for the year: The green padlock doesn’t always mean “trustworthy”; just “encrypted.”

  1.  

  2. 28

    Somewhat confused what the problem is. Somebody created a domain. If I understand correctly, that somebody is owner of that domain, since they appear able to host content with it. That somebody also got a certificate. That sounds a lot like what is supposed to happen.

    1. 26

      Yes, Let’s Encrypt is not what’s being abused here; the victims' DNS hosting is. It’s absurd to suggest that Let’s Encrypt should have a role in preventing this, but I don’t want to address that in detail because there’s actually something more important on the table.

      Let’s Encrypt was founded to work towards a future where it’s realistic to expect SSL for every connection. This is a goal I profoundly agree with, as I’ve posted before. SSL for everything is fundamentally incompatible with SSL only for nice people, and that’s okay - that was always the goal.

      Unfortunately, from the perspective of many players, SSL is a marketing tool (“See, you can trust us!”), and anything it actually achieves or fails to achieve is incidental. What Let’s Encrypt is doing weakens the marketing value of serving via SSL, because it means users are going to have to adapt to the idea that only explicitly illegitimate sites don’t have it, and there will no longer be extra trust for the sites that do. It also can’t help but bring the price of certificates down in general, in the long run, which upsets the for-profit CA business model, even though it probably won’t demolish it.

      It isn’t necessary for critics of Let’s Encrypt to disclose their financial incentives explicitly, because that’s clear just from looking at what types of business they are. There’s nothing shadowy happening here, but there is a large-scale disagreement going on that not everybody has noticed, and this sort of thing needs to be read with some cynicism.

      1. 5

        Unfortunately, from the perspective of many players, SSL is a marketing tool (“See, you can trust us!”), and anything it actually achieves or fails to achieve is incidental.

        Well stated. The “lock” icon is synonymous with “it must be OK to enter my Credit Card, or Bank Account password.” The lock icon and those idiotic “Norton Secured” buttons.

        which upsets the for-profit CA business model, even though it probably won’t demolish it.

        One can dream, though, right?

      2. 8

        The problem is, as stated in the article, Trend Micro itself is a CA, and is missing out on some SSL certificate cash because of Let’s Encrypt. This is a minor hit piece.

        1. 7

          At least now when malware steals your data it will be encrypted!

          1. 12

            That is a security improvement. It means an MITM can’t steal your data a second time. And state actors have been doing that routinely as a hard-to-trace exfiltration strategy, so…

            1. 6

              Yes! I can respect[1] malware authors who have enough respect for their victims to ensure that no one else can steal it. It’s certainly a big step up from the wild west that existed before.

              Thanks, Let’s Encrypt!

              [1] Though, I’d respect them a lot more if they went with an EV cert. That’d show that some real initiative.

          2. 3

            “Somebody created a domain … [and] is owner of that domain”

            Nope, the problem was that attackers were able to control a third-party’s DNS, create a subdomain, and host (malicious) content on that subdomain, protected by a fresh LetsEncrypt cert.

          3. 12

            Reply to this blog post: https://unmitigatedrisk.com/?p=552

            1. 9

              This seems like a very peculiar use of the word ‘abused’? I think the word they actually want here is ‘used’.

              1. 1

                I think most people don’t intend their infrastructure to be used to distribute malware. So it’s correct to say that they have abused let’s encrypt (and abused their hosting service, abused their DNS service, …)

              2. 4

                The green padlock doesn’t always mean “trustworthy”; just “encrypted.”

                Nitpicker’s corner: Browsers should only show green if it’s an EV cert, which Let’s Encrypt does not offer. Browsers will do blue or something otherwise.

                1. 3

                  That’s not the case in Firefox, at least - with EV in Firefox it just additionally shows the organization text next to it