Wondering if system notifies on possible cert forgeries

Just curious if the LE system has some type of automagic notification to one of your workers if an obvious forgery site certificate is attempting to be created, such as bank0famerica.com? Not that I want to do this, I was just reading up on Google Chrome’s HSTS opt-in and their description mentioned that and I started thinking that it would be a good feature although difficult to know what the intended purpose is I suppose, unless it is for any of the “big ones”. :slight_smile:

Hi @mushu,

I don’t think there’s really a strong connection between HSTS preloading and phishing. The HSTS preload list is meant to defend against different threat than phishing, which is the SSL stripping attack or other ways of hijacking an HTTP session before the HTTPS session can begin.

I understand that. My comment was prompted by my reading, not by HSTS specifically. I probably shouldn’t have mentioned it in hindsight to avoid this type of confusion. I was just wondering if the automated certificate creation system had any type of fraud protection is all.

Aha! Well, Let’s Encrypt forbids issuance to certain domains on a blacklist, and also will not issue to domains listed as malicious by Google Safe Browsing. But I don’t believe there is a restriction on issuance based on similarity to a blacklisted domain or to another existing domain.

Hi @mushu

The best way of fighting this is certificate transparency logs.

DNS CAA and HTTP Public Key Pinning allow prevention but for a heads up Certificate Transparency Logs are the best

crt.sh is one such site but unforutnately doesn’t currently have an API based interface so you have to scrape the results

There is an NPM (node) project https://github.com/neilstuartcraig/tls-certificate-transparency-log-checker/blob/master/examples.md


Thanks for the info. This site has a good explanation of HPKP and even mentions Let’s Encrypt, saying not to pin the subscriber certificates because cert renewal issues new keys and will brick your website without a backup Pin: https://news.netcraft.com/archives/2016/03/30/http-public-key-pinning-youre-doing-it-wrong.html

Also found this, a new RFC draft that sounds much safer than HPKP: https://datatracker.ietf.org/doc/draft-sheffer-tls-pinning-ticket/

I think I’ll wait on doing HPKP, it sounds like a good thing but seems very risky.

hi @mushu

It is but not if you do it carefully :wink:

Doing a series on it soon but if you are wanting to find out more you can read more here: https://scotthelme.co.uk/hpkp-cheat-sheet/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.