Possible attacks against Let's Encrypt


#1

Hi @ all,

I am writting my thesis and I have to analyze Let’s encrypt. I am searching for some lack of security or some possible attacks against Let’s Encrypt. For now, I have the possibility for an attacker to set up a well looking phishing site with a valid certficate. Users often trust the green padlock more than the URL. Another attack is offered by DNS-Spoofing. Because of domain validation it is possible for attackers to manipuliate the DNS and so accomplish the challenges of the Let’s Encrypt server.
Are these problems correct? Are there other possible attacks against the Let’s Encrypt infrastructure or the proccess of issuing a certificate?

Thanks in advance :slight_smile:


#2

I’m not sure that this forum is an appropriate place to list any “insecurities”, so it seems a really odd question you ask.

In short though, there are measures in place to prevent the “insecurities” you mention, and generally the issues are no different for Let’s Encrypt than any other certificate authority.


#3

Hi @Wuuz,

Always happy to hear about folks researching Let’s Encrypt in academia! :books: :tada:

This doesn’t specifically relate to Let’s Encrypt - you could do this with any certificate authority that issued Domain Validated (DV) certs in an automated fashion (most do). “Trusting the green padlock” more than the URL stems from a misunderstanding about what a DV cert from a CA really attests. I don’t think its fair to characterize that as an attack specific to Let’s Encrypt (or an attack at all!) :slight_smile:

This is correct, but again is more a fault of domain validation than Let’s Encrypt in particular. You’ll find that DV methods possible with both Let’s Encrypt and other CAs that issue DV certs can be subverted by DNS poisoning or BGP hijacking.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.