Stop unauthenticated use of our email address for LE certs

#1

Someone has used our email address to register a Let’s Encrypt certificate for what looks like a phishing domain. How can we stop people using our email address for this purpose (as we obviously don’t want to be associated with it, not keep receiving renewal notifications for it).

Is there any mechanism within Let’s Encrypt to set authentication required for an account? Or maybe some standard mechanism to say “I’m the owner of email address … and would like domain … revoked please”

The domain is: appleid.apple.com.greetingsaskaboutorder9281.tk

#2

The email body has a link to unsubscribe from future notices. If you hit that link, you won’t get any expiration notices for the next year. The list of “who’s unsubscribed” is independent for Staging notices and Production notices, so you can feel free to unsubscribe from Staging without affecting your Production status.

#3

Hi @andyjeffries

that’s curious.

There is one Letsencrypt certificate. But there is an older cPanel certificate with different subdomains.

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1267689628 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-07 20:06:42 2019-06-05 19:06:42 appleid.apple.com.greetingsaskaboutorder9281.tk
1 entries
1162342838 CN=“cPanel, Inc. Certification Authority”, O=“cPanel, Inc.”, L=Houston, C=US, ST=TX 2019-01-30 23:00:00 2019-05-01 21:59:59 appleid.apple.com.greetingsaskaboutorder9281.tk, cpanel.appleid.apple.com.greetingsaskaboutorder9281.tk, mail.appleid.apple.com.greetingsaskaboutorder9281.tk, webdisk.appleid.apple.com.greetingsaskaboutorder9281.tk, webmail.appleid.apple.com.greetingsaskaboutorder9281.tk, www.appleid.apple.com.greetingsaskaboutorder9281.tk
6 entries

Looks like a cPanel was used to create that certificate.

#4

So is there any way of stopping this from happening? Or authenticating “I’m the owner of the email address, I’d like to get the chance to approve/reject certificates (or revoke them after the fact) requested using this address”?

Thanks.

#5

You can revoke certificates whenever you want, as long as you control the domain.

You can’t authenticate certificate issuance via email, but you can prevent or control issuance by placing a CAA record on your domain, to the effect of blocking Let’s Encrypt: https://letsencrypt.org/docs/caa/ . At some point in the future, it will be possible to setup a CAA record that only allows a nominated Let’s Encrypt account to issue certificates for your domain, but we’re not quite there yet.

Double-opt-in for emails would be preferable in my opinion, I’m not sure why they didn’t choose that option.

#6

as long as you control the domain

Which domain? The domain the email used OR the domain the certificate was registered for?

CAA record on your domain, to the effect of blocking Let’s Encrypt

Do you mean on our email’s domain OR on this dodgy person’s phishing domain?

Hopefully more comes in the future regarding this as it feels the controls around cert creation are proof of concept level rather than polished professional level. Don’t get me wrong, I love LE - but now our account is getting spam and we can’t just bin our primary company’s contact email address, nor block the emails because we use LE too.

#7

Oh, I misread. If you do not control greetingsaskaboutorder9281.tk, then that situation indeed does suck, since you can’t unsubscribe only for that particular domain.

I would try throwing an email to security@letsencrypt.org and asking them to remove your email address from that phishing domain’s ACME account registration. There’s a chance they might oblige.

#8

Thanks, I’ve messaged them. I’ll see what they say.

#9

Probably because it isn’t consistent with “obtain the cert immediately with a single command”.

How so? They validate domain control in accordance with industry practices. With very limited exceptions, they do not block certs for bad actors, as they (correctly) take the position that the cert makes no assertion regarding the trustworthiness of the site you’re visiting.

You’re getting expiration notices for a domain that doesn’t exist any more. After a couple of them, the cert will be expired, and you won’t get any more. Your company’s email is not “associated” with that phishing domain in any public way.

#10

It could still have impact, has authorities may ask Let’s Encrypt which data they have about that phishing domain.

I feel it’s important Let’s Encrypt implements mecanism to:

  • Ask which domain(s)/certificate(s) is associated with your email
  • Selectively remove the association

The European GDPR may impose that too. (right to access and right to correct).

Those rights could be automated, for example with the following mechanism:

  • To ask the data, you send an email to [automatic-data-request]@letsencrypt.com
  • The answer is send to the same email and contains links to remove the associations.
1 Like
#11

Very true tdelmas, we’re a UK company so this law definitely applies. However, it is good to know that Let’s Encrypt will never give out our email address from a domain name, even if the authorities ask them “who is the owner of phishing domain X.Y.Z”.

#12

I just suggested the opposite could happen, what makes you think that they will not give it to authorities? (or did you meant, “its better to delete it to be sure Let’s Encrypt will not give our email address if the authorities ask them “who is the owner of phishing domain X.Y.Z”?)

#13

I love this idea! Selective unsubscription is sorely needed, especially with the “exact set of domains has changed and now I get pointless emails for a week” problem.

1 Like