I will go so far as to say that Let’s Encrypt revolutionized the Transport Layer Security (TLS) certificate market. While there were some free sources of certificates, the general rule remained that you had to pay if you wanted to implement a secure connection for you website. Then Let’s Encrypt was released. Now anybody can implement a secure connection for their website for free. On top of that, Let’s Encrypt greatly simplified the process of managing certificates. So it’s no surprise that certificate vendors are feeling the squeeze and responding desperately:
The fact that Let’s Encrypt is now being used to make phishing sites look legit is a total burn for us, and a potential house fire for users who rely on simple cues like the green padlock for assurance. According to certificate reseller The SSL Store, “between January 1st, 2016 and March 6th, 2017, Let’s Encrypt has issued a total of 15,270 SSL certificates containing the word ‘PayPal.'”
Keep in mind that the SSL Store is a provider of those incredibly overpriced certificates, so Let’s Encrypt’s mission isn’t necessarily in their interests. Even still, their post points out that the “vast majority of this issuance has occurred since November — since then Let’s Encrypt has issued nearly 100 ‘PayPal’ certificates per day.” Based on a random sample, SSL Store said, 96.7 percent of these certificates were intended for use on phishing sites.
The reseller added that, while their analysis has focused on fake PayPal sites, the firm’s findings have spotted other SSL phishing fakers, including Bank of America, Apple IDs, and Google.
The SSL Store paints a frightening picture. But the picture requires ignoring two facts.
First, TLS doesn’t verify if a website is legitimate. TLS verifies that the URL you’re connecting to matches the name in the certificate provided by the server and that the certificate was issued by a trusted authority. For example, if you connect to https://paypaltotallyascam.com, TLS will verify that the URL in the certificate is for https://paypaltotallyascam.com and that the certificate was issued by a trusted authority. However, TLS is not magical and cannot determine whether the site is a scam or not.
Second, you can’t even pull a certificate with Let’s Encrypt unless you have a registered URL. So why is Let’s Encrypt getting all of the blame but not the Domain Name System (DNS) registrar that allowed the domain to be registered in the first place? Because DNS registrars aren’t a threat to The SSL Store’s business model, Let’s Encrypt is.
This report by The SSL Store is nothing more than the desperate thrashings of a dying business model.