Hacker News new | comments | show | ask | jobs | submit login
14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites (bleepingcomputer.com)
20 points by Jerry2 1 hour ago | hide | past | web | 8 comments | favorite





I don't think this is a problem.

If those sites should not be allowed to own the domain names they are using, then the registrars can take the names back.

All the DV certificate means is "you are using an authenticated connection to the server that answers for foo.com".

TLS doesn't have anything to do with the ethics, morality, or legality of the site operators.

It's too bad that we've trained laypeople to think otherwise. But, even a phishing site should be served over HTTPS. Otherwise, the user will be vulnerable not only to the phishing site, but every intermediate server that the connection passes through.

reply


The blame is misplaced. DV certificates were never meant to protect against phishing. Chrome is just doing it wrong.

In my opinion, there should be no padlock, no visual indicators that a connection is secure for DV certs. The enduser doesn't have to know a website uses HTTPS. The padlock should only show up (along with the company name) when the website uses an EV certificate.

reply


That would imply that there is no security benefit whatsoever provided by a DV certificate. To prove that DV certificates are usually seen as "better than nothing", just consider the difference browsers make in their treatment of self-signed certificates.

I'm also in the position of running a small online business on the side, and such a change would almost certainly require and upgrade to an EV certificate. While we have thought about it (and I have tried to find some data on changes in conversion rates possibly coming from it), I haven't quite been able to convince myself that the costs and hassle are worth it.

The process may be prohibitively expensive in some countries, or for some very small operations.

reply


Not just chrome, also Paypal, which allows basically unlimited access to your account with just a username and password.

reply


And Symantec lost their certification rights because they issued certificates to test.com and example.com?

reply


I was about to applaud the author for highlighting that LE isn't a position to do anything about this, but then... the article takes a very strange turn to blame LE anyway.

I advocate quite often for presenting the other side's the best possible arguments, but I guess that I should include a recommendation to actually engage with these as well. In this case, it doesn't amount to much more than "but still..."

reply


This is sourced from https://www.thesslstore.com/blog/lets-encrypt-phishing/, which comes from a division of "the world’s leading SSL/TLS reseller" (https://www.thesslstore.com/blog/about-the-ssl-store/amp/).

(Not disputing the data.)

reply


I wonder what the solution to this can be.

Should the CA prevent people from getting certificates for domains containing the names of 'big' websites and corporations? Should browsers make it more obvious that the website has an EV certificate? Maybe also try to detect phishing URLs?

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: