Let's Encrypt has issued a certificate for a domain I own without my knowledge

jsforgames.com.pem (1.8 KB)

I've attached the relevant certificate to this post. I bought the domain with Namecheap on early November and did not use it until now. While setting it up I visited it on my browser and saw that it had a valid certificate i(issued Dec 1 by Let's Encrypt, after I had bought it) and pointing to this site: https://bitlab.kz.

How is this possible? How can anyone bypass the domain verification process? The password I use for Namecheap is random and unique. Could Namecheap generate these certs and point them to some kind of parking page?

Yes, they could. And since it's pretty common for registrars to point domains to a parking page until you set them otherwise, this seems like a pretty plausible explanation, as far as it goes--but the bitlab.kz doesn't look like any parking page I've seen.

7 Likes

Does this mean that MITM is possible with the private key generated by Namecheap? At least until the cert expires.

You can revoke the certificate, if you please. I have a web-based tool for doing that here or you can use a client like Certbot following these instructions.

According to SecurityTrails the domain had an A record in early December and was pointed to DigitalOcean nameservers in early November. Either of those parties could have issued a certificate as well. A DigitalOcean load balancer might have automatically issued a certificate for the domain, if you had created one.

7 Likes

Thanks for the detailed response. As a wider issue, is it not a security threat that 3rd parties can get certs issued like this? How do companies prevent their web apps from getting MITM by someone with a valid cert issued similarly to mine? Is there a paper trail I could follow to exactly know who issued it?

2 Likes

The only entity who can issue a certificate is one who can establish "control" over a domain, which basically means (to slightly oversimplify) either through being able to change a DNS entry, or through being able to create a file on a web server. So your DNS provider, or the hosting provider that you point the A/AAAA record to, can create a certificate, and usually that's exactly as intended (and ideally automatic, so that the owner of the domain doesn't need to worry about it).

Well, there are a couple things that can help for people who are trying to maintain more control over it:

  1. CAA records, which let you specify which certificate authorities can issue certificates for your domain. For Let's Encrypt specifically, they recently announced support for additional parameters which would let the records be locked down to a specific validation method or specific account. However, this still of course is under the control of the DNS provider, and some providers (Cloudflare I think?) might automatically add themselves to the CAA record to issue certificates on your behalf if you use them for DNS and also use their services that might use a certificate.
  2. Certificate Transparency logs, which allow all issued certificates to be publicly announced. There are a few services out there one can use to help keep an eye on them.

Well, it pretty much has to be someone who has control over the DNS or the server itself, so generally you can start with those companies and look at their documentation on when they might issue a certificate. In the case of something nefarious, I'm sure Let's Encrypt keeps various logs and so might know an IP address and account key and such, but I doubt that you could get access to it without a court order or the like.

14 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.