Much has been written about this issue of late; most of the focus has been
on Let's Encrypt, but they are not the only CA issuing certificates to
phishing sites, though because of the scale Let's Encrypt operates at, they
issue the most, and thus take most of the heat.

One of the better articles on the topic is this one by Scott Helme, which
is well worth reading:

https://scotthelme.co.uk/lets-encrypt-are-enabling-the-bad-guys-and-why-they-should/

DV certificates only prove control of a domain, not who operates it, or if
it should be trusted. To try to read anything more into it is a mistake;
this applies to all CAs issuing DV certificates, not just those issued by
Let's Encrypt.

The goal many share is to achieve near-ubiquitous TLS use to minimize
insecure traffic as much as possible. To achieve that goal, the barrier to
entry needs to be minimal, which means freely available DV certificates.
Let's Encrypt issues certificates to anyone that can prove control of a
domain (with few restrictions), and as with most other forms of secure
communications, this means not everyone that uses it will have honest
intentions. That is simply the cost of achieving ubiquitous encryption.

Some have suggested a significant change to how browsers display status:
display a warning for HTTP, and show HTTPS with a DV certificate as neutral
(handling of OV & EV certificates in such an arrangement is more
contentious). This would help to eliminate the erroneous feeling some have
that certificates impart trust.


On Sun, Mar 26, 2017 at 11:53 AM David E. Ross via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> The subject is the title of a Slashdot article posted today.  The
> article can be accessed at
> <
> https://it.slashdot.org/story/17/03/25/2222246/over-14k-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites
> >.
>
>
> The article contains two links.  One is to a Bleeping Computer article
> that gives more detail.
>
> The other link is to a Let's Encrypt page where that certification
> authority states:> Let’s Encrypt is going to be issuing Domain
> Validation (DV)
> > certificates. On a technical level, a DV certificate asserts that a
> > public key belongs to a domain – it says nothing else about a site’s
> > content or who runs it. DV certificates do not include any
> > information about a website’s reputation, real-world identity, or
> > safety. To me, this means that certificates can be freely issued to
> criminal
> enterprises.
>
> --
> David E. Ross
> <http://www.rossde.com>
>
> Consider:
> *  Most state mandate that drivers have liability insurance.
> *  Employers are mandated to have worker's compensation insurance.
> *  If you live in a flood zone, flood insurance is mandatory.
> *  If your home has a mortgage, fire insurance is mandatory.
>
> Why then is mandatory health insurance so bad??
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
-- 

--*Adam Caudill*
http://adamcaudill.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to