Misused certificates

Fsantiago1979 · January 7, 2016, 9:25am

Happened upon this story:

Has the LE org commented on this yet?

rme · January 7, 2016, 9:48am

This tweet could be a good reply:

I don’t think malvertising are “abusing” @letsencrypt any more than they are abusing TCP or Apache https://twitter.com/martijn_grooten/status/684825524867174400?s=09

tlussnig · January 7, 2016, 8:30pm

. It doesn’t stop attackers from obtaining a certificate and creating subdomains with malware under the umbrella of a legitimate site.

@me in general you would be right but in this case it indicates that the subdomain was not with the domain owners permission. This was already discussed here:

White List Subdomains for LE
vs.
Block Subdomains for LE via CCA that is not supported by all dns servers.

vtlynch · January 7, 2016, 9:03pm

I ma hoping @josh or someone else from LE can comment on the following (@schoen) excerpt from an article about the TrendMicro report. I have bolded the parts I find troubling.

Let's Encrypt automatically issues domain-validated (DV) certificates to websites by checking the URL's phishing status against the Google Safe Browsing API. Once issued, Let's Encrypt does not monitor the certificates or take any action afterward. Even if Google later flags the domain as malicious, Let's Encrypt will not revoke certificates.

"It would be impractical and ineffective," said Josh Aas, executive director of the Internet Security Research Group. ISRG is the group managing the Let's Encrypt project.

Let's Encrypt will not be revoking those certificates issued to the subdomains used in the malvertising attacks, "but it looks like the sites in question have been taken down," Aas said.

Source

This implies that Let's Encrypt will NOT be revoking certificates that are reported for misuse. However, from my reading of the CA/B Forum BRs this is required. I previously started a thread where I cited the relevant BR sections.

Im not suggesting that LE should be actively re-checking the Google Safe Browsing list and revoking existing certs when flagged. But if a cert is reported to be used for phishing/distribution of malicious software/phishing attempts, is it Let's Encrypt's policy to revoke these certs?

My1 · January 7, 2016, 9:25pm

well I think they should be revoked but it may not be that easy because everything in here should be automatic. and upon a single request just revoking does more harm than anything else.

I would say that when a cert is made that the actual domain owner (via email address obtained from whois) should be contacted.

josh · January 7, 2016, 9:50pm

We explained our perspective on attempting to police phishing and malware at the CA level in a blog post.

Our policy does not allow for revoking certificates on the basis of being used by reported phishing and malware sites. Doing so would be impractical, ineffective, and likely lead to mistakes being made. We believe that this policy is in line with our compliance obligations.

We recommend that people who have identified phishing and malware sites report them to Google Safe Browsing and Microsoft SmartScreen.

shortmanikos · January 7, 2016, 10:22pm

Not an official reply, but it comes from a member of Let’s Encrypt 's advisory board (Ryan Hurst):
https://unmitigatedrisk.com/?p=552

tlussnig · January 7, 2016, 10:51pm

@josh as i already mentioned from my point of view the news list at list three different “illegal” actions:

broken into the infrastructure
- create an new “subdomain” under the control of the attacker
- use the new fqdn for malware distribution

To Point 2: If this is correct i think it would be in the responsibility of the CA to check via WHOIS record if the subdomain use the certificate and was created with the owners permission. The word DOMAIN VALIDATED implicate to the user that the CA have checked and can rightfully believe that the certificate was created with the DOMAIN owners permission.

To Point 3: Here i totally agree with you that this is not an cause for revocation these could happen with CDN’s and no one wan’t to revoke an cert for this. But here the domain is correctly be owned.

Lets make an real world comparison:
2) I sign an check with the name “Max Mustermann” and you are told that this is an dummy value you wont accept it.
3) If there is an big picture on the news telling that i did false signatures under contract and the post guy came to my home and need an signature he can not refuse my signature if i use my own name.

TCM · January 8, 2016, 1:00pm

If the domain owner is negligent with the access to his domain, this is not the CA’s concern.

Also, a CA is not responsible for the content someone serves. LE signs a statement that the requester had access to a specific hostname at a given time, and this statement is valid for 90 days. That’s it.

If anyone is drawing false conclusions from that regarding the trustworthyness of the content served under that name at any given point in time, that is completely their own problem.

My opinion.

Edit: What should be possible, though, is that certs can be revoked by proving access to the domain, so that the rightful owner can revoke any rogue certs after a compromise.

riking · January 8, 2016, 7:07pm

This is possible, I think. Having a domain authorization on the account lets you revoke a certificate for that domain (right?).

tlussnig · January 9, 2016, 3:27pm

@TCM is there was an security break i think it is not fair to say it is negligent.

LE signs a statement that the requester had access to a specific hostname at a given time, and this statement is valid for 90 days.

That is correct but from the term "Domain Validated" i and i think many other would draw the conclusion that LE checked that the certificate is only given to the Domain owner (Domain is well defined via RFC and in fact is not the IP behind an A record).

My1 · January 9, 2016, 3:57pm

well that’s a way of seeing it, but a good thing of the A record thing is, that you can get a cert for your dyndns domain which is usually not so easy.

Svavar_Kjarrval · January 9, 2016, 6:05pm

Most WHOIS servers have severe rate limits on lookups so if LE did look up the WHOIS record for each domain, there would have to be a major artificial limit on the number of certificates LE could issue. There has already been a point that everyone can check if/when their domain appears in the transparency log.

My1 · January 9, 2016, 6:10pm

well not everyone even knows about that stuff.

also other CAs usually also do this over the whois or admin mail, including StartSSL, the other free CA.

riking · January 10, 2016, 7:06am

It's an opportunity for a major upsell for the existing CAs, though.

Fraudulent Certificate Monitoring

For an extra $30/month, we will monitor the SSL CT Logs and alert you if any other certificates are issued for your domains. (*30/month per primary domain)

My1 · January 10, 2016, 9:49am

isnt that a LITTLE bit overpriced? /s
this probably can run automatically, no reason to charge more than for an EV cert for this

danb35 · January 10, 2016, 11:00am

Of course it’s overpriced–digicert will do it for free.

riking · January 10, 2016, 7:25pm

[quote=“My1, post:16, topic:8423”]
isnt that a LITTLE bit overpriced?
[/quote]Of course, that was my point.

fauno · January 13, 2016, 11:28pm

At least for the time being, Let’s Encrypt is going to check with the Google Safe Browsing API before issuing certificates, and refuse to issue to sites that are flagged as phishing or malware sites. Google’s API is the best source of phishing and malware status information that we have access to, and attempting to do more than query this API before issuance would almost certainly be wasteful and ineffective.

so this means google has final say on who has certificates or not?

Fsantiago1979 · January 14, 2016, 12:03am

Well, in gmail, their spam filtering is second to none, especially for a free email service, IMHO. So it doesn’t seem too bad to me.

Are there better lists out there that could or should be queried?