MORE THAN 15,000 SSL certificates have been issued to PayPal phishing sites, according to research from The SSL Store.
Earlier this month Vincent Lynch, the SSL Store's encryption expert, called on free open certificate authority Let's Encrypt to stop issuing certificates with the word 'PayPal'. He said that certificates containing the term were being "pervasively abused", and that the continued issuance of the certificates "posed a danger to the web by bestowing legitimacy to phishing sites".
It had found that Let's Encrypt had already issued nearly 1,000 certificates containing the term 'PayPal', more than 99 per cent of which were intended for phishing sites.
Now, the SSL Store has found that this was a major underestimate. It claims that Let's Encrypt has actually issued 15,270 'PayPal' certificates, more than ten times larger than previous estimates.
It said that the majority of this issuance had occurred since November 2016, and that Let's Encrypt was issuing nearly 100 'PayPal' certificates per day since then.
Based on a random sample, the SSL Store said that 96.7 per cent of these certificates were intended for use on phishing sites.
The concern from the SSL Store is that many phishing sites will be using an SSL certificate and HTTPS configuration and that users will misconstrue this as a legitimate site.
As well as PayPal phishing, other targets include Bank of America, Apple IDs and Google. Lynch said that Let's Encrypt had issued thousands more of these certificates.
"The new data clearly shows that use of HTTPS on phishing sites is significantly higher than previously thought," he said.
While the fake websites will usually be spotted and taken down within a couple of days, this is often enough time for phishers to do some damage.
According to Ilia Kolochenko, CEO of web security company High-Tech Bridge, Let's Encrypt's is doing a good job in its mission to globally convert plaintext HTTP traffic to encrypted HTTPS traffic.
However, he believes that the company "should have foreseen massive abuse by phishers".
"[Let's Encrypt] should implement at least some basic security verifications, such as refusing SSL certificates for domains that contain popular brand names inside," he said.
But Kolochenko believes that web browsers marking any HTTPS website as secure is more responsible for increasing problem with phishing.
"Web browsers encourage users to blindly trust the HTTPS websites' security without any justifiable reason, failing to mention that it's only about channel encryption and almost nothing about website trustworthiness or web application security," he said, emphasising that it was now difficult to determine whose carelessness contributed more to the increase of phishing campaigns.
Kolochenko also questions whether it is reasonable to encrypt all web traffic, as he believes it allows malware to easily bypass various security mechanisms more efficiently, causing huge damage to end users and companies.
"I am quite sure that if we will see how many of Let's Encrypt SSL certificates are used by malware to exfiltrate stolen data - results will be pretty scary. Therefore, it's difficult to predict how Let's Encrypt will shape its growth strategy in the future to preclude cybercriminals from abusing its desire to make the web safer," he said. µ
But we probably won't see it until next year
Why stick a finger in a dyke when you can ram the entire boy in the hole, eh?
Reminds us that we're supposed to be able to trust them
'Exclusive' model starts shipping on 29 June