Paul Walsh via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>The data suggests that automatically issued DV certs for free is a favorite >for criminals. True, but that one's just an instance of Sutton's Law, they go for those because they're the least effort. I was at a talk yesterday by a pen-tester who talked about phishing CEOs and the like and a throwaway comment he used at one point was "we got a cert [for their phishing site] from Let's Encrypt". It was completely casual, just a built-in part of the process, because the years of training people to look for the padlock/ green bar/dancing unicorns means that that's what the bad guys do to make the phish look more convincing. If Let's Encrypt didn't exist, the phrase would have been "we bought a cheap cert from GoDaddy". If browsers only allowed EV certs, it would have been "we bought an EV cert through a shell corporation" or "... from an underground market". Point is, once you've got some universally-recognised signalling mechanism that a site is OK, it'll be used by the bad guys to make their attacks totally convincing, whether it's DV certs, EV certs, free certs, expensive certs, or whatever. >I can’t add any more evidence to prove that something needs to be done about >Let’s Encrypt as an entire initiative is an overall failure in my opinion. It's actually been phenomenally successful. Browsers won't allow you to encrypt a connection without a certificate, and Let's Encrypt enables that. It hands out magic tokens to turn on encryption in browsers, nothing more, nothing less, and it's been very successful at that. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
