Let’s Encrypt Certificate Abuse Could Put Windows Bitcoiners at Risk - Bitcoinist.net
Link
Recently, though, trojans and spyware signed with Let’s Encrypt certificates have begun to crop up.
LE does not sign code signing certificates. So this is at least wrong. From the quality level i would call the articel FUD.
There was an website with an DV certificate issued by LE. And these side had distributed malware. This was the base for the article. But what mean DV OV EV these only mean that the CA say that they are sure that:
- DV the user of the certificate own the domain
- OV the user of the certificate own the domain + have this company in the cert
- EV the user of the certificate own the domain + have this company in the cert is more checked in deep.
An Certificate say nothing about the Quality or trustfulness of the content under an certain domain.
There is no rule at any ca that forbid domain names that are not miss usable (like GO0GLE.COM)
So and domain like fake-bank.com or even mailware-site.org would be allowed to receive an certificate.
And the green lock only tell the user:
- the content you see is from the side
- there is no one in the way who can read what you get fro the side or send to the side.
It is really important for people to know that having a cert or a padlock doesn’t mean the site operator is a “legitimate” company or has benevolent intentions. As @tlussnig says, the cert is there to protect your communications with the site operator, whoever they are and whatever their intentions are. If they’re sending you misinformation or even malware, the cert protects that communication too.
2 Likes
The misconception of the green padlock is something that has come about by ‘safety online’ campaigns and unfortunately this misconception leads to lots of misinformation such as what this article is presenting.
LE certificates are no different from other free certificates. The only difference is that LE certificates are easier to obtain. However this ease of obtainment is creating another misconception that LE does not perform the same checks as the other CAs. The different CAs follow the same standard and essentially the same checks are performed when obtaining a certificate.
This is a topic that will continue to grow and will continue to have flak generated towards LE. There is a high chance that in the future someone will visit a malware site that LE has provided a certificate for and they will have a monetary loss.
When it comes down to it the ‘green padlock’ is trying to express a hugely complex thing into a easy to recognize image. SSL/TLS is Not understood by a large amount of the website users. There are organizations that are improving the understanding of the certificate system but it is a hard task without dipping into the technical aspects. Many people (such as myself) have resorted to a ‘if the green padlocks there - trust it’ mantra when explaining to a non-technical person.
It will be a slow and long learning curve but we will get there in the end.