
14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites - phsource
https://www.bleepingcomputer.com/news/security/14-766-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites/
======
mtgx
I'm not sure what's the outrage is about here. If they don't say PayPal before
the URL, as PayPal's EV certificate does, then why does it matter that Let's
Encrypt issued SSL certs to websites that have PayPal in their names?

By that logic, I would much sooner be outraged at registrars for allowing
those guys to obtain domain names that put the PayPal name in the address bar.
But of course even that is a silly argument, as it's not the registrar's job
to enforce trademark protection for any company.

~~~
catdog
You are exactly right, not sure why you get down voted. Let's Encrypt does
domain validation. It's perfectly fine that it issues a certificate to
paypal.com.phishysite.com to the rightful owner of phishysite.com. It's not
their fault that some people do not grasp what that type of certificate (which
is nothing new) assures and what not. If you really want blame someone you
have to blame browser vendors for not making it clear enough inside their UI.

//edit: Trademark protection gets even easier as CT logs present such
potential violations on a silver plate.

------
bndr
The certificates serve their purpose - they encrypt the traffic between the
client and the website. I think Let's Encrypt does it's job perfectly.

It's not Let's Encrypts job to protect users from fraud.

------
ldd
I think the issue is an issue of education.

When I see the 'green' colour followed by the word 'secure' when visiting a
website using chrome, I know that this does not mean immediately that I have
to trust the site. I presume the vast majority of hacker news readers will
know better too. But what about the normal, average users?

I think we should just be more proactive in telling people what an SSL
certificate _actually_ is, and what https _guarantees_. Otherwise, we are not
really having a discussion.

~~~
zzzcpan
No, it's not about education, it's about a decent UX with some kind of anomaly
based warning system and privacy protection. It's really easy to detect a
fishing attempt. I've seen this idea proposed by security people in the past.
But it might have serious consequences for an advertisement industry, so you
won't see this in popular web browsers. You just have to accept that browser
vendors don't care about security and you, as a user, is their product.

------
anc84
I am glad Let's Encrypt is working so well that this is viable for the
scammers.

------
throwaway2016a
This isn't new... there has existed DNS only SSL certificate verification for
quite a while.

Let's Encrypt's only job is to not issue certificates to people who don't own
a domain. Not to ensure the content of the domain is legitimate. That's what
EV certs are for.

~~~
pfg
To be more specific: EV validates that the entity requesting the certificate
is who they claim to be, in addition to demonstrating domain ownership. No
validation level makes any kind of guarantee regarding the legitimacy or
accuracy of content.

~~~
throwaway2016a
Yes. Thank you for clarifying, I wasn't clear.

------
okket
The DNS registrars should be held accountable and informed about the abuse,
they are required to act.

[https://www.icann.org/resources/pages/abuse-2014-01-29-en](https://www.icann.org/resources/pages/abuse-2014-01-29-en)

~~~
ominous
You remind me of my friend, 'ollet', a close typo.

Your username has been reported. I was about to discuss sensitive information
with you. Luckily ycombinator will act.

[https://en.wikipedia.org/wiki/Social_engineering_(security)](https://en.wikipedia.org/wiki/Social_engineering_\(security\))

------
lotsoflumens
Perhaps the use of the word "certificate" is somewhat to blame here?

.. in ordinary English, a "certificate" is a proof or guarantee of
authenticity.

~~~
okket
The simple 'domain validated' certificates, which are the only ones Let's
Encrypt issues, only certify that the domain owner has access to the secret
key. It guarantees that the data exchanged is private, not that the domain
owner is doing nothing illegal.

~~~
lotsoflumens
Yes, _I_ know. Tell that to your grandmother.

~~~
okket
Can't, they are dead. But I have an idea:

Since all new Let's Encrypt certificates get reported to certificate
transparency sites, why not set up a bot that searches them for 'paypal' and
send alarms to PayPal and the registrar about possible abuse?

~~~
lotsoflumens
Yes! Just like a DMCA bot searches for media and automatically files a
complaint?

~~~
okket
I doubt it will be the same amount. This is real criminal scam and theft, not
drive-by ad-click farming.

