James Thew - Fotolia

Domain validation certificates: What are the security issues?

Let's Encrypt domain validation certificates had some security issues. Expert Matthew Pascucci explains how DV certificates work and what the issues were.

There were reported issues with Let's Encrypt domain validation certificates, which were being used by threat actors for phishing sites. How do domain validation certificates work, and what were the issues?

Let's Encrypt is a free and open certificate authority that enables those that might not be able to afford or configure HTTPS on their web servers to protect their sites.

Using tools in partnership with Let's Encrypt, such as the Electronic Frontier Foundation's Certbot, enables website administrators to freely enable TLS on their sites, and to even automate security functions within cipher suites and other encryption features.

The major goal of Let's Encrypt is to create a secure internet, with all sessions encrypted in transit. Let's Encrypt has major sponsors assisting its community -- including Mozilla, Cisco, Electronic Frontier Foundation, Google, Facebook and others -- that have offered their support for the service.

One of the concerns brought up by others in the field is that Let's Encrypt doesn't do much in the way of security checks on its domain validation certificates. A domain validation certificate only validates that you own the domain name, and normally does so via email. This means an attacker can set up domain names similar to popular websites and have a certificate issued to them for it with no validation. The vast majority of these domains are likely to be used within phishing campaigns that are now using legitimate SSL/TLS certificates for their malicious sites and mimicking similar domain names.

Let's Encrypt has recognized the issue and has begun to encrypt these sessions, and they're focusing their funding on automation, rather than individually reviewing each application. At this point, Let's Encrypt doesn't have the resources to review every certificate, and doesn't want to get into the censorship game by saying who's allowed to apply for a certificate.

Other certificate authorities offer organization validation and extended validation certificates that require additional steps for the requester before they're granted the certificate. These are also the certificates that display the company's name in the address bar and glaringly turn it green. These certificates are expensive, and the majority of the internet might not need that just yet. Having the option to get domain validation certificates free of cost helps to encrypt the internet, but it leaves pitfalls for attackers to use.

One of the areas we need to do better in with this issue is education. If someone clicks a URL because they assume they're completely secured due to HTTPS or the lock in the address bar, we haven't done our jobs. In the past, maybe it was less risky to click these links, but that didn't make them secure from malicious intent. If a user associates HTTPS with being completely secure against all threats, we have some work to do in this area of security awareness.

Also, from Let's Encrypts' standpoint, I'd like to see some type of checks and balances in validation of how certificates are distributed. There is a fine line between staying open and allowing others to abuse a service. Let's Encrypt has done a lot to secure the internet, but applying some form of validation would make this service even better. It's not easy, but it's certainly possible within their service. They've already created a free certificate authority, which seemed impossible, so anything they put their minds to can be achieved.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn about the drama so far surrounding Symantec certificate authority issues

Read more about certificate authority risks and how to manage them

Find out if enterprises should use the Let's Encrypt certificate authority

This was last published in May 2017

Dig Deeper on Application and platform security