Security Experts:

Let's Encrypt Wildcard Certificates a 'Boon' for Cybercriminals, Expert Says

To speed up the adoption of HTTPS, free and open Certificate Authority (CA) Let’s Encrypt will start issuing wildcard certificates as of January 2018.

Created by Mozilla, the University of Michigan, and the Electronic Frontier Foundation (EFF), with Cisco and Akamai as founding sponsors, Let’s Encrypt is pushing for a fully encrypted World Wide Web. The move should help better protect user data from eavesdroppers, but some concerns have been raised about the new offering.

Let’s Encrypt came out of private beta in December 2015 and issued its millionth certificate in March 2016. Last week, the organization announced it had already issued over 100 million security certificates, thus becoming one of the largest CAs by number of issued certificates.

Now, the organization is moving to accelerate HTTPS deployment by starting to issue wildcard certificates, “a commonly requested feature.”

“A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier,” Josh Aas, ISRG Executive Director, notes.

Let’s Encrypt’s over 100 million digital certificates are used to secure around 47 million domains, which also benefit from the CA’s fully automated DV certificate issuance and management API. According to Aas, Let’s Encrypt’s service already helped the percentage of encrypted page loads to rise from 40% to 58%.

The organization will be offering wildcard certificates free of charge via an upcoming ACME v2 API endpoint. Only base domain validation via DNS will be supported in the beginning, but the CA may explore additional validation options over time.

“We decided to announce this exciting development during our summer fundraising campaign because we are a nonprofit that exists thanks to the generous support of the community that uses our services. If you’d like to support a more secure and privacy-respecting Web, donate today,” Aas concludes.

Let’s Encrypt’s goal might be improved security and privacy for all users, but it doesn’t mean that its certificates can’t be misused. In March 2017, encryption expert Vincent Lynch revealed that, over a 12-month period, Let’s Encrypt issued over around 15,000 security certificates containing the term PayPal for phishing sites.

According to Kevin Bocek, chief security strategist for Venafi, Let’s Encrypt’s introduction of free wildcard certificates is great for privacy, but a boon for cybercriminals. 

“Cybercriminals can create thousands of fake websites using Let’s Encrypt’s wildcard certificates, all with a seemingly trustworthy glowing green padlock in the web browser address field,” Bocek told SecurityWeek. “We have seen bad actors abuse Let’s Encrypt certificates before: more than 14,000 certificates were issued for PayPal phishing websites by Let’s Encrypt, a powerful example of how bad guys exploit Certificate Authority business processes.” 

“There’s no putting the Let’s Encrypt genie back in the bottle, but this means every organization could be a victimized by malicious websites designed to spoof their customers and partners,” Bocek added. “This means every organization must monitor the internet for malicious certificates. Google’s Certificate Transparency initiative and other similar technologies allow organizations to spot fake or malicious certificates regardless of the CA.”

Mike Lennon contributed to this report

Related: Mandatory Certificate Authority Authorization Checks Will Boost Domain Security

Related: Let's Encrypt Issues 15,000 Fraudulent "PayPal" Certificates Used for Cybercrime

view counter