ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites

    IT Discussion
    lets encrypt ssl certificates phishing
    5
    7
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AmbarishrhA
      Ambarishrh
      last edited by

      https://www.bleepingcomputer.com/news/security/14-766-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites/

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller
        last edited by

        Nothing surprising there, not LE's job to determine the role of the site in question. Of course they issues certs. Some registrar and some DNS provider helped with all of that, too.

        JaredBuschJ 1 Reply Last reply Reply Quote 2
        • ObsolesceO
          Obsolesce
          last edited by

          I don't think an SSL cert implies that the site you are on is legitimate.

          It's more to ensure your connection to the site is "secure"... whether it's a phishing site or not is besides the point.

          If the phishing site is using SSL, then I can at least be sure that any info going to them is at least not being intercepted and modified by someone else, LOL!

          1 Reply Last reply Reply Quote 2
          • JaredBuschJ
            JaredBusch @scottalanmiller
            last edited by

            @scottalanmiller said in 14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites:

            Nothing surprising there, not LE's job to determine the role of the site in question. Of course they issues certs. Some registrar and some DNS provider helped with all of that, too.

            Exactly this. It is 100% impossible to get a LE cert unless someone else has already allowed the domain name, thus the registrars. I get that most of these are sub domains, so that then leads us to DNS services.

            The purpose of any Certificate Authority (CA) is only to validate ownership of the domain by the person requesting the certificate.

            1 Reply Last reply Reply Quote 4
            • StuartJordanS
              StuartJordan
              last edited by

              I don't see why Let's Encrypt should govern websites, I think let's encrypt has done a great job trying to push all websites to use ssl. Out of good there will always be bad folks taking advantage.

              JaredBuschJ 1 Reply Last reply Reply Quote 2
              • JaredBuschJ
                JaredBusch @StuartJordan
                last edited by

                @StuartJordan said in 14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites:

                I don't see why Let's Encrypt should govern websites, I think let's encrypt has done a great job trying to push all websites to use ssl. Out of good there will always be bad folks taking advantage.

                No CA should govern websites. I like what the linked article said about that actually.

                That said, proven abuse at this scale can easily be handled if they choose.

                1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch
                  last edited by JaredBusch

                  There is a blacklist that all CA's have on high dollar domain names to prevent major fraud. LE cannot issue for something.microsoft.com or something.bestbuy.com for example.

                  But the sub domain names used in these PayPal examples are all outside of that. They are all on valid (ish) TLD.

                  1 Reply Last reply Reply Quote 3
                  • 1 / 1
                  • First post
                    Last post