Paul Walsh via dev-security-policy <dev-security-policy@lists.mozilla.org> 
writes:

>The data suggests that automatically issued DV certs for free is a favorite
>for criminals.

True, but that one's just an instance of Sutton's Law, they go for those
because they're the least effort.  I was at a talk yesterday by a pen-tester
who talked about phishing CEOs and the like and a throwaway comment he used at
one point was "we got a cert [for their phishing site] from Let's Encrypt". It
was completely casual, just a built-in part of the process, because the years
of training people to look for the padlock/ green bar/dancing unicorns means
that that's what the bad guys do to make the phish look more convincing. If
Let's Encrypt didn't exist, the phrase would have been "we bought a cheap cert
from GoDaddy".  If browsers only allowed EV certs, it would have been "we
bought an EV cert through a shell corporation" or "... from an underground
market".

Point is, once you've got some universally-recognised signalling mechanism
that a site is OK, it'll be used by the bad guys to make their attacks totally
convincing, whether it's DV certs, EV certs, free certs, expensive certs, or
whatever.

>I can’t add any more evidence to prove that something needs to be done about
>Let’s Encrypt as an entire initiative is an overall failure in my opinion.

It's actually been phenomenally successful.  Browsers won't allow you to
encrypt a connection without a certificate, and Let's Encrypt enables that. It
hands out magic tokens to turn on encryption in browsers, nothing more,
nothing less, and it's been very successful at that.

Peter.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to