What I am trying to determine is why one hostname would be used vs another when a product uses this *.lencr.org for whatever this service provides.
I have looked through MANY bind DNS logs from varied locations, its clear to me that port 80 communication to varied *.lencr.org hostnames is VERY common. Just certain hosts more-so then others.
I see tons pretty much anywhere I look for x1.c.lencr.org for example, but barely any for x1.i.lencr.org for example.
Can anyone please explain to me why this might be, trying to avoid someone classifying this service as being an indicator of malware when it really is not.
Hello @jsmith1 and Welcome to the community.
I have moved this topic to "Issuance policy" for a more appropriate category for this thread.
Please have a read here:
1.) Lots of commercial sites utilize LetsEncrypt to provide TLS certificates for their businesses.
I don't understand most of what your comment implies.
LE only issues certificates for domains that can be proven to be under the control/ownership of the requestor.
LetsEncrypt has no control over the configuration or "Best Practices" of a particular website or their owner/manager(s)
There has been changes due to expired ROOT certificates NOT under the control of LetsEncrypt that has caused confusion for IT and website administrators . Most Admins overlooked the issue and did not prepare for the change...
Someone else will have to respond to this.. I don't understand the comment.
LetsEncrypt is FREE. FREE from costs charges and overhead. It is, however designed to be fully automated with NO human intervention. Lots of admins cant handle that.
The malware reference is irrelevant.
So Really, please clarify your concerns so someone here can address your issue fully.
You did not mention a specific domain.
You did not mention an issue (except "external" concerns and/or observations.
Best I can do on short notice. Encrypting the web is the goal, fixing everyone's mis-configurations and teaching them how to do it right is out of scope here.
Let's Encrypt is a certificate authority which issues certificates to the general public. Subscribers request certificates from Let's Encrypt via the ACME protocol, and Let's Encrypt issues and returns them via the same protocol.
As part of their CA operation business, Let's Encrypt hosts OCSP and CRL services as well as as Authority Information Access for its own certificates. Much of this operation is done over the lencr.org domain.
These are domains serving the Authority Information Access (AIA) for Let's Encrypts intermediate and root certificates.
Clients that establish TLS connections to a server secured with a Let's Encrypt certificate may:
Query OCSP information for that certificate, which involves HTTP requests to a lencr.org domain
Query AIA information for that certificate, which also involves HTTP requests to a lencr.org domain.
Query CRL information for that certificate, which... you get it.
Sorry, no idea. It's all just standard protocols. Let's Encrypt is a very large CA which issues millions of certificates each day so its traffic volume may be higher than expected by some traffic monitoring tools.
It's also possible that some malware uses Let's Encrypt certificates for their operation. Let's Encrypt issues certificates in an automated way to almost anyone, but unfortunately not everyone uses certificates for a good purpose. This might lead to an accidental correlation between actual malware operation and Let's Encrypt.
Hi thanks for the responses guys. You have help me get enough info I think now. If I have it right, it sounds like saying communication to Let's Encrypt is an IOC (indicator of compromise) is sort of like saying the root DNS servers are IOC's and should be blocked because they are allowing A record resolution for a malicious website.
If Satan were running a website that utilized Let's Encrypt certificates for encrypting communications with visitors to said website, that would not mean that Let's Encrypt would have any affiliation with the content of those communications. Believing the contrary would be like blaming a car for the actions of a drunk driver.
