
Let’s Encrypt, Comodo blamed for issuing phishing SSL certificates - drewjaja
http://www.cso.com.au/article/617612/let-encrypt-comodo-blamed-issuing-apple-paypal-phishing-ssl-certificates/?utm_campaign=online-data-security-briefing-2017-04-13&utm_medium=newsletter&eid=-302&utm_source=online-data-security-briefing
======
sintaxi
Good! Encrypt everything.

A valid cert should not be an indicator that the content on a given site is
verified to not be harmful. It serves as verification that the content you
received came from the domain you requested. The role of Certificate
Authorities is not to censor content and never should be.

~~~
burntrelish1273
Encryption isn't any good if clients and servers can't nonrepudiate the other
party.

A web-of-trust overlay, which is non-authoritative, can help against most
attacks...

It would make more sense for an international, community-supported nonprofit
to take the lead on _opt-in_ , high-confidence identity verification of
persons and companies (thorough physical and documentation checks).

Issuing certs to random people without any checks or barriers at all makes it
easy for crooks to obtain certs. Comodo/LE are going to have to do some basic
checks or major vendors will simply block them until they do.

~~~
toast0
From my experience, until recently, all a SSL certificate meant is you're
competent enough to receive mail for postmaster@, and you have a working
credit card. With LetsEncrypt, the bar is even lower.

Given the push for 100% HTTPS, of course scammers are going to get
certificates for their sites if the cost is low enough (still higher cost than
using a lock favicon, but hey). While a traditional CA might require human
review to issue a cert for paypalscam.example.org, they would probably issue
*.example.org, so a scammer would just have to pay a little more for the
wildcard.

Since LetsEncrypt participates in certificate transparency, a benefit is that
paypal can watch for all certificates issued with their name in the hostname,
and check if they need to start a takedown sooner than if they wait for
reports of phishing.

------
oxguy3
A DV certificate does not certify that example.com is trustworthy; it only
certifies that the content you're seeing is indeed from example.com. If users
are mistakenly assuming DV certs have more meaning than that, then that is a
UI issue with browsers, not an issue with the CAs.

------
syncsynchalt
"Anti-phishing firm Netcraft [...]"

Is this a pivot or just a bad article?

