Malevolent hackers always find a way to crack the most secured system even though people have started to understand the significance of HTTPS in spammers and address bars.
There is an automated service called Let’s Encrypt which helps users to convert their earlier unencrypted URLs to HTTPS addresses which is securely encrypted with a particular kind of file known as the certificate. HTTPS addresses are really amazing, more so since certificates are so costly on the pocket, sometimes overpriced and a majority of users are not able to buy them. So in a way it can be established that the service offered by Let’s Encrypt is able to do good in more ways than one for strengthening and enhancing the internet security for users all over the world, which is sometimes beyond our realization.
Let’s Encrypt was not developed with any idea to encourage abuse, like many other brilliant ideas from technical sector, but it seems that is what is taking place.
You can add HTTPS security to any site easily and free of cost, so malicious cyber criminals intending to hack internet users sometimes think that Let’s Encrypt service is a bit groovy. If a site has HTTPS, users immediately know that it is a securely encrypted connection. But if you notice carefully in browsers such as Google’s Chrome, it displays a bright and attractive tiny green padlock along with the word “Secure” typed in address bar. Security and privacy advocates, from Mozilla and EFF have done anything and everything possible in their capacity to help users identify some signifiers which marks that a website is safe.
But with advancement of technology Let’s Encrypt services is currently getting used to give a legit look for various phishing sites and is totally destructive for us. It is a likely a house fire for those who depend on pretty simple cues such as the green padlock for security and safety. As per The SSL Store certificate reseller, Let’s Encrypt has been found to issue 15,270 SSL total certificates having the word ‘PayPal’ in the time between 1st January 2016 and 6th March 2017.
The SSL Store basically provides some of the outstandingly overpriced certificates, so the mission of Let’s Encrypt’s is definitely not in their good interests. But even then many of their post shows that a vast majority of issued SSL certificates by Let’s Encrypt has started since November and have been issuing near about 100 ‘PayPal’ certificates almost daily. A random survey was carried out and it was found that and SSL Store claimed that around 96.7 percentages of these secured certificates are intended to be used in case of phishing sites.
The reseller also said that, though the analysis is based on some fake PayPal sites, the findings of the firm have found that that many SSL phishing fake sites exists such as Apple IDs, Bank of America, and Google. This is quite risky as these sites are availed by zillions of users.
But it is not that this issue or menace is new, and the bad news is it is getting worse. Trend Micro, security firm in January highlighted semaphore convention worth of red flags regarding an advertising campaign which maliciously targets those websites which uses free Let’s Encrypt certificates.
The researchers of Trend Micro firm in December 2016 were successful in uncovering a spiteful advertisement campaign which encouraged surfers to sites that hosted “Angler Exploit Kit”. Angler is basically a virus infecting software and injects your system in a seamless and invisible manner with malware once you have visited a web page, and it will cause the harm even though you have not clicked anything on the page, without your knowledge. Researches have later showed that almost 50 percent Angler infections goes to ransomware, and they force you to pay a ransom for your files that have been locked.
The average net users can be fooled by the sites that looked real created by malvertisers as they developed subdomains with Let’s Encrypt for HTTPS as found out by Trend Micro. The cyber hackers used Let’s Encrypt certificates that are specially received for subdomains, to make the poisoned sites look secure and valid.
Joseph Chen, fraud researcher of Trend Micro once said “Any technology that is meant for good can be used by cyber criminals, and Let’s Encrypt is no exception,” on TrendLabs Security Intelligence blog.
So why Let’s Encrypt is not able to revoke the obvious fake PayPal certificates? May be they feel it is not their business.
Executive director of Internet Security Research Group, Josh Aas, said to InfoWorld in January that to toss about the fate of certificates after Let’s Encrypt generate them is quite ineffective and impractical. ISRG manages Let’s Encrypt project.
Aas has said in his 2015 blog of Let’s Encrypt about disavowing obligation for enormous HTTPS trust problem that organization has facilitated. He told press that certificate-issuing system cannot be hold responsible for controlling phishing, malware on the Internet.
The post that described the role of CA in combating malware and Phishing may be titled “\_(?)_/” for the interest to address a monster that was being enabled certainly.
Let’s Encrypt then finally pushed the issue on the shoulders of teams of browser security at Firefox, Google, Safari and others. Aas claimed that anti-malware and anti-phishing protections of browsers were definitely more effective and appropriate than what Let’s Encrypt can be expected to do.
Moreover Let’s Encrypt is not going to revoke their certificates even in case Google flagged any malevolent HTTPS phishing certificates.
Then the work to get people trusting HTTPS and the small “Secure” green padlock was unravelled.
So it now recommended that users must use HTTPS always, and at the same time do not trust it blind-folded for protection of their own safety. In this time people must know for sure that that HTTPS is not always equivalent to legitimate safety, as earlier that were made to believe. So it is important that user must check link for spelling, validity, and malfeasance and it should be at top most priority instead of checking whether Chrome says “Secure.” As it may not be the case.
So it is not that the green padlock is no longer a mark of secure website, but it is just that in the domain of cyber security, anything can happen.