Unsubscribe is a potential attack vector

I got an expiry notification yesterday. For a certificate I never created (no, very definitely not). This isn't the first time this has happened. Someone is using my email address to create their certificates. I can't unsubscribe to this because then I'd not get the important ones I created and need to be notified about.

This therefore creates a possible attack vector - I could create a lot of certificates with an email of my victim, and then ignore them. A while later they will be swamped with notifications from Let's Encrypt. And they cannot do anything about it. No way to unsubcribe from certain names, and keep their own.

This should be addressed.


For a domain that you don't control?
Is there a common IP between that domain and yours?

I'd change all my notices to an email address that would never be published, nor used anywhere else.


I have nothing to do with the domain. Think about it - when you create a certificate, you specify an email address. Nothing checks it. I could use support@letsencrypt.org in all my certificates, and I'd not be getting the emails.

And that's why "hiding" your email won't work - it doesn't matter. And given I can create certificates I don't care about at a high rate, and then leave Let's Encrypt to do the mail bombing in 60 days time, I do think this is an issue to be reviewed. It will bite someone bad one day.

I understand exactly how it "works" and, yes, it does leave much to be desired.

Can you answer this?:

How NOT?
Who would be able to guess a completely new (never used before) email address?


The first click on the unsubscribe link would cancel any and all such future emails [for a one year period].
The "attack" can be stopped with just one click.


Think further - clicking on the unsubscribe link sent to ME from the unknown person's certificate notification would stop me getting any further notifications from Let's Encrypt about MY legitimate domains. See:

Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.

So I cannot unsubscribe without causing myself "damage". And if I wanted, I could create a new certificate twice a day forever, and twice a day forever a junk notification would arrive at my target. And one day a real notification would arrive and they'd ignore it... Sure, if you don't have any certificates, that click solves it. But if an attacker knows your Let's Encrypt email, you will loose.



@mj2015 It's a fair point. As work-around you could use a cert monitoring service and not rely on the emails from Let's Encrypt. The LE emails are only 'best efforts' and at times have been problematic anyway. So, don't even provide an email address to LE so you could unsub if bothered by misdirected emails.

You can build you own monitoring with openssl or use any number of websites that offer ssl monitoring. I even saw one called LetsMonitor.org which is a clever name but seems no affiliation with Let's Encrypt (or me).


If I know your email address...
I could easier go to hundreds of porn/spam sites and register your email address with them.
[much more annoying and harder to stop]


Just use a never published, not easy to guess email address for Let's Encrypt. That way, if you ever receive such unjustified expiry emails on other email addresses, you can unregister for those, but still receive genuine expiry emails on your special LE email address.

I personally work with a catch-all mailserver, so I can put anything I want in front of the @. :slight_smile:

Also, for this you could perhaps also use the + sign as described here: Using Email Plus Addressing · Will Koffel


My main purpose in posting is to point out that it is Let’s Encrypt that becomes the problem, not to solve my one or two certificates, nice though that might be. The ability to use it to attack others seems worth pointing out.

Like: Double "opt-in".
But the emailing is provided as a service (by a third party).
[very likely the lowest bidder - and, as always, you get what you pay for]


I agree there is a vector for abuse, but personally I wouldn't call it a vector for attack. And frankly, I think spammers/hackers/whatever have many other, more practical vectors to consider :slight_smile:

That said, let's just wait until a LE staf memeber comes by :slight_smile:


I agree, this is a possible vector for a mild DoS: preventing renewal reminder emails. For (very rare) higher severity notifications, though, we would contact subscribers manually.


This DoS doesn't scale well.
For each nuisance email, one valid cert must be issued.
[and then more than two months worth of waiting...]

If I want to DoS you with one hundred thousand emails, I would need to issue one hundred thousand unique certificates!


Even that might not be enough, @rg305. I think (I might be wrong here) that LE combines notifications, thus reducing the DoS payload.


Note this isn’t a DoS attack, but a nuisance nonetheless. It’s like a spam you can’t ignore. let’s Encrypt messages are important to me. I have to review every one. I don’t need a thousand to be a pain, just a few is enough. But it is easy to make a lot more.

I think calling this a "mild" DoS is a bit of a reach. It is an interesting way to socially engineer a victim into opting out of the email redundancy warnings.

The fix to this would be finally having a resubscribe option though. Gosh, wouldn't that be nice! Maybe I spoke incorrectly above, perhaps this is a SEVERE exploitation vector and the relevant tickets assigned to the email system should be prioritized into the next sprint!

IMHO, instead of building more into the current ESP - who is known to be rather pricy and very odd to work with - I think ISRG would likely have an overall cost savings by migrating to another ESP. Unless they are comping you, but I doubt they are. AWS and SendGrid come to mind as cost-effective alternatives; I'd be happy to speak to some of my email marketing contacts about this if anyone on staff wants to message me about volume.


But you can.
You can easily remove all such "spam" with one single "unsub" click.


But that would prevent a user from getting expiry emails from Let's Encrypt, which was part of the issue raised in this thread.