I got an expiry notification yesterday. For a certificate I never created (no, very definitely not). This isn't the first time this has happened. Someone is using my email address to create their certificates. I can't unsubscribe to this because then I'd not get the important ones I created and need to be notified about.
This therefore creates a possible attack vector - I could create a lot of certificates with an email of my victim, and then ignore them. A while later they will be swamped with notifications from Let's Encrypt. And they cannot do anything about it. No way to unsubcribe from certain names, and keep their own.
I have nothing to do with the domain. Think about it - when you create a certificate, you specify an email address. Nothing checks it. I could use firstname.lastname@example.org in all my certificates, and I'd not be getting the emails.
And that's why "hiding" your email won't work - it doesn't matter. And given I can create certificates I don't care about at a high rate, and then leave Let's Encrypt to do the mail bombing in 60 days time, I do think this is an issue to be reviewed. It will bite someone bad one day.
Think further - clicking on the unsubscribe link sent to ME from the unknown person's certificate notification would stop me getting any further notifications from Let's Encrypt about MY legitimate domains. See:
Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.
So I cannot unsubscribe without causing myself "damage". And if I wanted, I could create a new certificate twice a day forever, and twice a day forever a junk notification would arrive at my target. And one day a real notification would arrive and they'd ignore it... Sure, if you don't have any certificates, that click solves it. But if an attacker knows your Let's Encrypt email, you will loose.
@mj2015 It's a fair point. As work-around you could use a cert monitoring service and not rely on the emails from Let's Encrypt. The LE emails are only 'best efforts' and at times have been problematic anyway. So, don't even provide an email address to LE so you could unsub if bothered by misdirected emails.
You can build you own monitoring with openssl or use any number of websites that offer ssl monitoring. I even saw one called LetsMonitor.org which is a clever name but seems no affiliation with Let's Encrypt (or me).
Just use a never published, not easy to guess email address for Let's Encrypt. That way, if you ever receive such unjustified expiry emails on other email addresses, you can unregister for those, but still receive genuine expiry emails on your special LE email address.
I personally work with a catch-all mailserver, so I can put anything I want in front of the @.
My main purpose in posting is to point out that it is Let’s Encrypt that becomes the problem, not to solve my one or two certificates, nice though that might be. The ability to use it to attack others seems worth pointing out.
Note this isn’t a DoS attack, but a nuisance nonetheless. It’s like a spam you can’t ignore. let’s Encrypt messages are important to me. I have to review every one. I don’t need a thousand to be a pain, just a few is enough. But it is easy to make a lot more.
I think calling this a "mild" DoS is a bit of a reach. It is an interesting way to socially engineer a victim into opting out of the email redundancy warnings.
The fix to this would be finally having a resubscribe option though. Gosh, wouldn't that be nice! Maybe I spoke incorrectly above, perhaps this is a SEVERE exploitation vector and the relevant tickets assigned to the email system should be prioritized into the next sprint!
IMHO, instead of building more into the current ESP - who is known to be rather pricy and very odd to work with - I think ISRG would likely have an overall cost savings by migrating to another ESP. Unless they are comping you, but I doubt they are. AWS and SendGrid come to mind as cost-effective alternatives; I'd be happy to speak to some of my email marketing contacts about this if anyone on staff wants to message me about volume.