I work in an organization where we (security team) frequently run phishing campaigns against our users to raise awareness and to demonstrate what a phishing attack might look like. We also own several typosquatting domains for our main domain to prevent users from visiting them.
We had the idea of using one of these domains in our next campaign, with a valid certificate to demonstrate that, while a site might have a valid certificate, it is not necessarily the one you want to visit. We are planning to use LetsEncrypt for that reason, hence my question here. I'd like to make sure we're not breaking some terms of service before going ahead with this.
The attack will only last a few days, after which we will remove the certificate and send an explanation e-mail to our users.
You warrant to ISRG and the public-at-large that all information in Your Certificate regarding You or Your domain name is accurate, current, reliable, complete, and not misleading.
And one could make an argument that by intentionally using a typo-based name, even one where you legitimately own both the "real" and the "typoed" name, you're asking for a certificate for a domain name which is "misleading". That term "misleading" is also later in 3.7 & 3.8 saying that you need to revoke and stop using your certificate if "any information in Your Certificate is, or becomes, misleading, incorrect or inaccurate."
In practice I wouldn't expect this to be a real problem, as Let's Encrypt has a general policy of not trying to be the "Internet Police" and issues certificates to anybody who can validate that they own the requested domain name. But it might make, like, your lawyers (or whomever's in charge of approval on your side) nervous that this language is in the subscriber agreement, even though Let's Encrypt itself probably won't really care, if that makes sense.
Oh, yes. I guess I'm trying to say that they're unlikely to get somebody from Let's Encrypt to give a blanket statement of "Yes, please use our services for 'bad' domains" since they want to reserve that right (as listed in their Subscriber Agreement) to revoke/stop bad uses, even if their general policy is to not intervene outside of some sort of law-enforcement-type order.
I very well could be wrong, though, and they might outright endorse this idea too.
I would say it's fine. The subscriber agreement gives LE wide authority to revoke / deny issuance, however in practice I haven't seen any of that except with US SDN listed entities.
Thank you all for the feedback and the very interesting conversation! I've installed the certificate and I'll come back once the campaign is over to share some results with you.
Cheers,
Nikos
The campaign was a success, and interestingly what came out of it was that the typosquatted domain had less people trying to submit the login form (6.7% of people who received it) vs. people who were linked to an IP address (7.8%).
Other interesting (but not surprising) facts: "Dear FIRSTNAME" worked quite better than "Dear colleague", and so did e-mail subjects concerning people's contracts rather than other subjects.
Feel free to close this thread.
Cheers,
Nikos
