Armour Comms launches industry leading secure Grou... » London: In direct response to customer demand, Armour Communications has announced the availability ... TDSi Supports Education Programme at IFSEC Inter... » Poole: Integrated security manufacturer TDSi will be sponsoring the Tavcom Training Theatre at IFSEC... 'POWER PLAYERS' INITIATIVE OPENS TO ENTRIES » Leading younger people from across the engineering services sector have a new opportunity to be reco... Multitone launches comprehensive EkoCare Communi... » Multitone Electronics plc has announced the launch of its new EkoCare range for healthcare facilitie... Momentum builds as Critical Communications World d... » Critical Communications World (May 16-18, Hong Kong) is the leading and most influential congress an... New initiative shows increasing importance of CSR » A major new survey on corporate social responsibility (CSR) is now open to electrotechnical busine... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTORA... » SERIES: BUHARISM AND THE FIERCE URGENCY OF NOW A treatise on pastoral jihadism, islamism, arabism a... Commvault partners with Pure Storage » Cisco Live, Melbourne, AU and Tinton Falls, NJ: Commvault has announced the integration of its Commv... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTOR... » A treatise on pastoral jihadism, islamism, arabism and cultural imperialism in Nigeria (Ephesians ... Where was Aisha Buhari when idiot Kumapayi flagr... » "Clip-clip..clip-clip...Did you not hear when BABA DAURA say women's place is in the kitchen?" ...



Talking Point Banner

During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word "PayPal" in the domain name or the certificate identity.

“Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store.

His findings reveal how phishers gradually tested if they could get, deploy, and keep hold of Let's Encrypt certificates for malicious websites.

Around October and November last year, the floodgates opened, and the number of Let's Encrypt SSL certificates issued for PayPal-themed phishing sites increased in a dramatic fashion.”

The article contains useful insight and images which show a fake PayPal site vs a genuine one. Although the fake sites will usually be spotted and taken down within a couple of days, this is often enough time to do some damage.


Ilia Kolochenko, CEO of web security company High-Tech Bridge comments: “I think we should separate HTTP traffic encryption and website identity verification questions. Let’s Encrypt’s mission is to globally convert plaintext HTTP traffic to encrypted HTTPS traffic, and they are doing it pretty well. Nonetheless, they should have foreseen massive abuse by phishers, and implement at least some basic security verifications, such as refusing SSL certificates for domains that contain popular brand names inside.

Speaking particularly about the phishing problem, I think web browsers marking any HTTPS website as secure - are more responsible for the problem. Web browsers encourage users to blindly trust the HTTPS websites’ security without any justifiable reason, failing to mention that it’s only about channel encryption and almost nothing about website trustworthiness or web application security. Therefore, now it’s difficult to measure whose carelessness contributed more to the skyrocketing phishing campaigns.

Last but not least, the idea of encrypting all web traffic remains questionable, as it allows malware to easily bypass various security mechanisms more efficiently, causing huge damage to the end users and companies. I am quite sure that if we will see how many of Let’s Encrypt SSL certificates are used by malware to exfiltrate stolen data – results will be pretty scary. Therefore, it’s difficult to predict how Let’s Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer.”