Much has been written about this issue of late; most of the focus has been on Let's Encrypt, but they are not the only CA issuing certificates to phishing sites, though because of the scale Let's Encrypt operates at, they issue the most, and thus take most of the heat.
One of the better articles on the topic is this one by Scott Helme, which is well worth reading: https://scotthelme.co.uk/lets-encrypt-are-enabling-the-bad-guys-and-why-they-should/ DV certificates only prove control of a domain, not who operates it, or if it should be trusted. To try to read anything more into it is a mistake; this applies to all CAs issuing DV certificates, not just those issued by Let's Encrypt. The goal many share is to achieve near-ubiquitous TLS use to minimize insecure traffic as much as possible. To achieve that goal, the barrier to entry needs to be minimal, which means freely available DV certificates. Let's Encrypt issues certificates to anyone that can prove control of a domain (with few restrictions), and as with most other forms of secure communications, this means not everyone that uses it will have honest intentions. That is simply the cost of achieving ubiquitous encryption. Some have suggested a significant change to how browsers display status: display a warning for HTTP, and show HTTPS with a DV certificate as neutral (handling of OV & EV certificates in such an arrangement is more contentious). This would help to eliminate the erroneous feeling some have that certificates impart trust. On Sun, Mar 26, 2017 at 11:53 AM David E. Ross via dev-security-policy < email@example.com> wrote: > The subject is the title of a Slashdot article posted today. The > article can be accessed at > < > https://it.slashdot.org/story/17/03/25/2222246/over-14k-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites > >. > > > The article contains two links. One is to a Bleeping Computer article > that gives more detail. > > The other link is to a Let's Encrypt page where that certification > authority states:> Let’s Encrypt is going to be issuing Domain > Validation (DV) > > certificates. On a technical level, a DV certificate asserts that a > > public key belongs to a domain – it says nothing else about a site’s > > content or who runs it. DV certificates do not include any > > information about a website’s reputation, real-world identity, or > > safety. To me, this means that certificates can be freely issued to > criminal > enterprises. > > -- > David E. Ross > <http://www.rossde.com> > > Consider: > * Most state mandate that drivers have liability insurance. > * Employers are mandated to have worker's compensation insurance. > * If you live in a flood zone, flood insurance is mandatory. > * If your home has a mortgage, fire insurance is mandatory. > > Why then is mandatory health insurance so bad?? > _______________________________________________ > dev-security-policy mailing list > firstname.lastname@example.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- --*Adam Caudill* http://adamcaudill.com _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy