Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: LetsEncrypt issuing over 100 SSL certificates per day to phishing sites.  (Read 4659 times)

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk

Chrome/mozilla are forcing sites running forums to get SSL certificates or their sites get marked as unsecure by the browser.
This week it was announced that many thousands of SSL certificates have been issued to phishing sites by Let's Encrypt - over 15,000 to paypal phishing sites alone -  but others include the likes of Apple, Google, Bank of America etc.

So now we have 100's of thousands of phishing sites that because they are https,  the average joe blogs could be literally lulled into a false sense of security because their browser displays the secure padlock. :(

Quote
Kolochenko believes that web browsers marking any HTTPS website as secure is more responsible for increasing problem with phishing.

"Web browsers encourage users to blindly trust the HTTPS websites' security without any justifiable reason, failing to mention that it's only about channel encryption and almost nothing about website trustworthiness or web application security," he said, emphasising that it was now difficult to determine whose carelessness contributed more to the increase of phishing campaigns.

Kolochenko also questions whether it is reasonable to encrypt all web traffic, as he believes it allows malware to easily bypass various security mechanisms more efficiently, causing huge damage to end users and companies.

"I am quite sure that if we will see how many of Let's Encrypt SSL certificates are used by malware to exfiltrate stolen data - results will be pretty scary. Therefore, it's difficult to predict how Let's Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer,"

http://www.theinquirer.net/inquirer/news/3007326/lets-encrypt-has-issued-15-000-ssl-certificates-to-paypal-phishing-sites
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project

Hmm . . .  :hmm:

:wall:
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

Is there actual evidence tho that encrypted phishing sites fool more people than unecrypted ones?

We cannot handhold 100% of the way, human stupidity will always play a part.  Pushing for a encrypted web is a good thing, letsencrypt is a good thing.

The only valid points I see are that virus scanners have a hard time dealing with https traffic for their protocol scans since https is designed to avoid MITM.

The solution is probably to try and educate users that the padlock simply ensures the end to end connection is private but not the legitimacy of the site.  I expect what may happen in the future is only EV verified sites get a green padlock and others using cheaper validation will use something like yellow or amber, but even that would not be 100% as phishing sites can still be EV validated, its just a more expensive and slower process.

Remember also that letsencrypt has lost commercial certificate providers a lot of money as those providers charge fees for automated processes essentially ripping people off.  This alone will draw bad press to lets encrypt to try and drop public confidence in it.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick

I have spent years educating staff belonging to my customers about what the padlock doesn't mean. I pretended to set up a domain name called barclays-secure.co.uk and explained to customers that just because the name looked impressive it didn't mean anything and showed them that I personally was the owner. That certainly worked, as they never believed in urls or email addresses any more after that. (I also showed them how even a young child could send an email with a spoofed from address.)
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk

I'm not sure about any actual numbers, but I could imagine certain people would.  There are plenty of people who fall for scams as it is, nvm what they would think if they saw the padlock.
I always used to impress on my dad that if he was making any purchases to ensure he looked for a padlock.   Those type of people would need re-educating that secure site does not mean secure although I'd like to think he wouldn't have fallen for a fake url.  With us being a technical forum users here are far more likely to be astute than the majority of people.

---

I think he makes a valid point too in why do we need to encrypt all web traffic.  I can fully understand if you are making purchases and passing sensitive data...  but forums, blogs etc?

It forces a lot of work for some site owners and there's still the problem to overcome re any images that are in forum posts, which will trigger the unsecure message anyhow. 

>> Remember also that letsencrypt has lost commercial certificate providers a lot of money as those providers charge fees for automated processes essentially ripping people off.

A fair enough point.  But Ive looked at letsencrypt - theres a lot of reading to do and Im still not sure how I'd go about remembering to renew every 90 days.
Also I think I may be a bit trapped.  Although my hosts allow letsencrypt for free on their shared cloud platform.  Theres a £19+VAT fee for 3rd party installation fee on my server.   

I have WHM and Cpanel but am also scared that I will break something.    I'm not in a position right now to read through loads of jargon.   Theres also a reason why I pay for managed hosting.. normal admin takes up most of my time and Im best leaving that side of thing to people who know what they are doing.   It would probably be easiest for me to pay my hosts for the full lot.  Even so Im waiting to see what happens with SMF 2.1 which is supposed to make https configuration more straight forward.

I've also said before, a concern I also have about SSL and that is protecting myself.  I have a very valid reason for doing so and thats not because Im hiding anything but because of the very few people who have been banned they turned out to be problematic.    One wrote to my ISP demanding my personal details after I banned him for pretending to be something he wasnt and spamming members in PMs... and in another case veiled threats suggesting my daughter could end up as kebab meat. I was deliberately reported to Nominet that very same week as a trading site in an attempt to publicly disclose my address.
The relevant authorities know how to contact me - indeed they have done turning up unannounced trying to track someone down.   I'm not selling anything, its not a company, its a non profit making community help site.   Its the later category which are finding these changes the most difficult.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

I have migrated dozens of sites over to https, it is an easier process than it sounds.  The most likely gotcha is if there is embedded http links in the code which will caused a mixed loading of http/https which modern browsers dont like (for good reason).

Letsencrypt has clients which can be used to renew and register certificates, when I first started using letsencrypt with its low 3 monthly renewals I considered it a pain, but now its much better than traditional renewals after I have adapted to using it.

A few notes.

1 - Letsencrypt will send an email reminder when is 30 days left to expiry, further emails get sent closer to expiry if a renew hasnt been carried out.
2 - There is various tools which automate the renewal process, I have created my own scripts which also copy the new certs to locations for the web server to use.
3 - Control panels like directadmin and cpanel now directly support letsencrypt and will automatically renew for you as well.  If you dont see it in your cpanel then your provider may have disabled the feature or have an outdated version of cpanel.

There is no upcoming requirement in browsers to force entire forums to be https, but they will start enforcing the authentication part.  That is inevitable, the only unknown is when it will happen.  I am fairly sure it will be during 2017 tho.

A final note is also phishing sites have not just started using ssl, a while back comodo was involved with lots of rogue certificates used by phishing sites and other bad practices.  In addition google will downscore plain http sites for SEO purposes.

It is not just about privacy but also for trust, a padlock should mean the page has reached you untampered between you and the webserver.  Remember phorm? :)
« Last Edit: March 31, 2017, 02:54:00 AM by Chrysalis »
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi

Interworx control panel is fully capable of let's encrypt, including auto renew and has been for a long time

I think you all make valid points, which are nothing knew in another forum I take part in and would have stated but chrys beat me to it

I do think it is an area which needs to be tackled on many fronts to help stop, from users to ISP, and parts of other threads on kitz are involved, such as geoip but that's taking this thread off topic.

At the end of the day, it cannot be stopped, which the bad people know, just mitigated after the event

I think very similar though to kitz, over having a mixed http/https for websites, and I believe the previous use of https, was ideal - https used for any login/purchase area etc, and other non essential area are fine in http. However, https takes more resources when it used but as servers are more powerful then previous, and SSL Certs are now available free, then that's why there pushing it through

@litz, I feel for you re threats, there are bad people out there, so please do not let it get to you - people seemingly think they are anonymous on the internet and laws do not apply, but they do, and there are things you can do.

I hope my post has not taken your thread off topic, as it raises many different areas involved in the thread

Many thanks

John
Logged

BigJ

  • Member
  • **
  • Posts: 83

I'm largely with Chrysalis on this one and who has put it far more eloquently than I could. I would add in my simplistic style that I believe secure communication should be the default. I know it's not a good analogue but when I communicate in paper form, I always use an envelope and I see SSL/TLS certificates in that sense. I use letsencrypt purely for my own personal needs and it fits my "all communication should be private by default" ethos.

EDIT: spelling. In my defence, I've been down the pub :)
« Last Edit: March 31, 2017, 09:46:29 PM by BigJ »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

Yeah the power of letsencrypt is pretty neat, whilst before its a manual process of filing manual renewal requests over a web page to certificate authorities, now I have a script that can renew for dozens of domains all in one go which I run every 2 months. As a sysadmin its a huge time saver.

Also what hasnt been mentioned yet on here is email servers, usually I have not bothered with certificates for any mail servers as I considered it not woth the cost, now they free, I can now offer a trusted path to my email users, who no longer have to manually approve invalid certificates in their clients.
Logged

BigJ

  • Member
  • **
  • Posts: 83

Good point about email Chrysalis. I had considered running my own email server but read that residential IP addreses where not always considered trustworthy by certain organisations. I ended up going with an email provider that supported SSL/TLS connections.
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi

Email servers are frowned upon if not TLS 1.2 capable (1.3 is not that far off)

A point to note though, there could be 2 separate instances of email SSL, the clients end and server to server.

The client side though, I always thought was overkill, given that most do not have a full dedicated mail server, and was so easily overcome by setting all domain MX records of all domains to be that used by the mail platform i.e. Server to server as it resolves to the same ip adddress

I think as I said earlier, this thread intrudes upon to many different aspects, email servers been 1 of them. However, the original thread and subsequent post, will not stop the bad people, only vigilance of users will do this, but certain aspects could help, but this intrudes upon a users location and ip range

As I always say, if the big players like microsoft cannot protect themselves, what chance do people have

Many thanks

John
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

Good point about email Chrysalis. I had considered running my own email server but read that residential IP addreses where not always considered trustworthy by certain organisations. I ended up going with an email provider that supported SSL/TLS connections.

I am talking about servers in a datacentre not at home :)
Logged

petef

  • Reg Member
  • ***
  • Posts: 135

In my experience the bad guys are the earlier adopters of security techniques. For example, SPF and DCIM in emails. We need to live with that in the short term. Eventually most, but sadly not all, of the mainstream catch up.

I submitted my web site to the Mozilla security checker. The main take away from that is that I should redirect from HTTP to HTTPS. What I do at the moment is serve both, though I only publish the HTTPS URL. Do people have opinions on whether the WWW is at a stage now that we should be deprecating HTTP?

--
Pete Forman
https://payg-petef.rhcloud.com/
Logged