Hi @ all,
I am writting my thesis and I have to analyze Let’s encrypt. I am searching for some lack of security or some possible attacks against Let’s Encrypt. For now, I have the possibility for an attacker to set up a well looking phishing site with a valid certficate. Users often trust the green padlock more than the URL. Another attack is offered by DNS-Spoofing. Because of domain validation it is possible for attackers to manipuliate the DNS and so accomplish the challenges of the Let’s Encrypt server.
Are these problems correct? Are there other possible attacks against the Let’s Encrypt infrastructure or the proccess of issuing a certificate?
Thanks in advance