This article is more than 1 year old
Trend Micro: Internet scum grab Let's Encrypt certs to shield malware
Angler kit served via compromised HTTPS websites
Updated It was inevitable. Trend Micro says it has spotted crooks abusing the free Let's Encrypt certificate system to smuggle malware onto computers.
The security biz's fraud bod Joseph Chen noticed the caper on December 21. Folks in Japan visited a website that served up malware over encrypted HTTPS using a Let's Encrypt-issued cert. The site used the Angler Exploit Kit to infect their machines with the software nasty, which is designed to raid their online bank accounts.
The use of encryption shields the malware from network security scanners while in transit, and the certificate helps legitimize the malicious site.
Before installing a Let's Encrypt certificate, the attackers compromised an unnamed web server, created their own subdomain for the server's website, and obtained a free HTTPS certificate for that subdomain.
The Let's Encrypt certificate Trend Micro found
The crims installed the cert on the compromised server, and then hosted a booby-trapped advert from that subdomain, Chen explained today. The ad also contained anti-antivirus code.
Chen is critical of Let's Encrypt's policy that it's "not a content filter," saying certificate authorities have a role to play in stopping attacks like this – and that it needs to do more than just check certificates against Google's safe-browsing API. He feels there should be mechanisms in place to prevent unauthorized cert registrations for domains and their subdomains.
Let's Encrypt's Josh Aas, executive director of the Internet Security Research Group, told The Register his organization's policy – articulated in this blog post from October 2015 – still stands.
"We think the certificate ecosystem is not the appropriate mechanism to police phishing and malware on the web. Other mechanisms like Safe Browsing, SmartScreen, or in this case the advertising network's internal controls, are both more effective and more appropriate," he told The Register in an email.
"We do check the Google Safe Browsing API for phishing status before issuing certs, but we do not take action after that. It would be impractical and ineffective. We will not be revoking the certificates in question, but it looks like the sites in question have been taken down."
Essentially: secure your own servers, rather than rely on Let's Encrypt to mind the shop for you. ®