Can I issue a cert for an internal awareness phishing campaign?

Greetings, and thank you for a great service.

I work in an organization where we (security team) frequently run phishing campaigns against our users to raise awareness and to demonstrate what a phishing attack might look like. We also own several typosquatting domains for our main domain to prevent users from visiting them.

We had the idea of using one of these domains in our next campaign, with a valid certificate to demonstrate that, while a site might have a valid certificate, it is not necessarily the one you want to visit. We are planning to use LetsEncrypt for that reason, hence my question here. I'd like to make sure we're not breaking some terms of service before going ahead with this.

The attack will only last a few days, after which we will remove the certificate and send an explanation e-mail to our users.

Thank you,
Nikos

4 Likes

Hi @nikofil

I don't see a problem. Certificate validation -> a proof that you own the domain is required -> that's all.

And there are real phishing sites with Letsencrypt certificates. So it's a general problem.

Check

--

Disclaimer: I'm not from Letsencrypt, I'm a Letsencrypt user.

5 Likes

I would also hazard a guess that the answer is "yes", because:

  1. It doesn't seem to be prohibited in the subscriber agreement (as long as you're not breaking the law)
  2. We have this official-ish statement to go on:
5 Likes

@_az It does sound a little bit like "red teaming", right?

2 Likes

Well, the subscriber agreement does say:

You warrant to ISRG and the public-at-large that all information in Your Certificate regarding You or Your domain name is accurate, current, reliable, complete, and not misleading.

And one could make an argument that by intentionally using a typo-based name, even one where you legitimately own both the "real" and the "typoed" name, you're asking for a certificate for a domain name which is "misleading". That term "misleading" is also later in 3.7 & 3.8 saying that you need to revoke and stop using your certificate if "any information in Your Certificate is, or becomes, misleading, incorrect or inaccurate."

In practice I wouldn't expect this to be a real problem, as Let's Encrypt has a general policy of not trying to be the "Internet Police" and issues certificates to anybody who can validate that they own the requested domain name. But it might make, like, your lawyers (or whomever's in charge of approval on your side) nervous that this language is in the subscriber agreement, even though Let's Encrypt itself probably won't really care, if that makes sense.

2 Likes

Hence the purpose of posting this topic in the first place?

:man_shrugging:

2 Likes

Oh, yes. I guess I'm trying to say that they're unlikely to get somebody from Let's Encrypt to give a blanket statement of "Yes, please use our services for 'bad' domains" since they want to reserve that right (as listed in their Subscriber Agreement) to revoke/stop bad uses, even if their general policy is to not intervene outside of some sort of law-enforcement-type order.

I very well could be wrong, though, and they might outright endorse this idea too. :slight_smile:

2 Likes

I would say it's fine. The subscriber agreement gives LE wide authority to revoke / deny issuance, however in practice I haven't seen any of that except with US SDN listed entities.

1 Like

I've also seen Let's Encrypt revoke certificates associated with ACME clients that violate the subscriber agreement.

Great Idea @nikofil !
Put the test to your users...
Would you come back and give us a glimpse of your results when the "attack" is completed?

2 Likes

Thank you all for the feedback and the very interesting conversation! I've installed the certificate and I'll come back once the campaign is over to share some results with you.
Cheers,
Nikos

3 Likes

The campaign was a success, and interestingly what came out of it was that the typosquatted domain had less people trying to submit the login form (6.7% of people who received it) vs. people who were linked to an IP address (7.8%).
Other interesting (but not surprising) facts: "Dear FIRSTNAME" worked quite better than "Dear colleague", and so did e-mail subjects concerning people's contracts rather than other subjects.
Feel free to close this thread. :slight_smile:
Cheers,
Nikos

5 Likes

Did you also do a comparison between a typosquatted domain with and typosquatted domain without a certificate?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.