Hacker News new | comments | ask | show | jobs | submit login

How does lets encrypt handle possible phising domains?

Even if there's zero mitigation I think the benefits will outweigh the downsides, but I wonder if there's anything that stops a criminal from registering a domain that is very similar to, say, that of a bank?

I know from experience (ethical hack) that the traditional authorities won't easily let you register 'suspicious' names like: <bank>-<name>.com where the original domain is <bankname>.com. Or something like that.




You are misunderstanding the purpose of SSL certificates. An SSL certificate certifies that a specific private key belongs to the owner/operator of a specific domain (or so it is intended), not that the domain is trustworthy. It's only about identity, not about trustworthiness, which is how it should be, it's not up to some private business to decide who is trustworthy and who is not.



I'd like to know more about this. When you buy domain validated SSL certificate (that costs $5-10) for which the process is completely automated, does the issuing authority really check or care about which domain it is being used on? Does a human (or a program) check the "suspicious factor" of the domain?


No. It's easy to currently register an SSL certificate for any domain, even if that domain is similar to the name of another. The main reason this was a "deterrent" to phishers is that generating tons of these was expensive.

The phishers still have to front the cost for the domain itself, so this really isn't going to increase the number of phishing domains. It may increase the number of phishing domains with SSL, but the purpose of Lets Encrypt is to encrypt everything -- not just "official domains"


No you are wrong. Perhaps it's not the case everywhere. But like I said, from personal experience I know that certain types of domains are checked. I tried and failed to register a certificate for a phising domain that masqueraded as a banking website.

whether or not this was originaly the point of ssl or not, this is how many non-technical people decide to trust a page or not: by looking at the lock in their browser.


> No you are wrong. Perhaps it's not the case everywhere. But like I said, from personal experience I know that certain types of domains are checked. I tried and failed to register a certificate for a phising domain that masqueraded as a banking website.

I never said it's the case everywhere. I said it's easy to register an SSL certificate for basically any domain you actually own, which is true. Basic SSL certificates are not designed to provide extended validation (there is EV certificates for that), they are designed to identify that domain.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: