Data shows wide-spread use of certificates for phishing
This is an open letter to Let’s Encrypt regarding its issuance of certificates containing the word “PayPal.”
Within the SSL/Certificate Authority industry, there is an ongoing debate about SSL certificates for malicious websites – the big question is if CAs should be policing the content and nature of the sites they issue certificates to. Should CAs be filtering out and rejecting certificate requests if they believe websites will use them for phishing or malware distribution? Should CAs revoke certificates for websites that are reported and proven to be involved in these activities?
Prior to Let’s Encrypt, all major CAs supported the view that certificates for malicious sites should be rejected or revoked, and Let’s Encrypt has stirred the pot by taking such an aggressive stance on the subject.
Josh Aas, Executive Director of Let’s Encrypt, has previously written about his view on a Certificate Authorities’ responsibilities. They think it’s not a CA’s job to determine if the site requesting a certificate is safe or legitimate, and that even when one tries to, CAs aren’t very effective at blocking the “bad” sites.
As a result, Let’s Encrypt forgoes the pre-issuance checks that CAs have traditionally used to block “high-risk” requests likely to be used for malicious reasons, such as phishing. Instead, Let’s Encrypt defers to services like Google’s Safe Browsing and Microsoft’s SmartScreen which identify and block dangerous sites at a different layer.
Most of the commercial CAs disagree with Let’s Encrypts position and this is a topic that is frequently debated. For more background on this topic, I suggest reading this great post from Eric Lawrence, which inspired this post.
I am not asking Let’s Encrypt to change its larger position. I respect and understand its view, and think it’s a sensible position given its goals as a CA.
Given that the content filtering debate is such a heated topic, I would like to sidestep it all together and ask for something much simpler:
Stop issuing certificates containing “Paypal.”
Certificates containing the term “PayPal” are being pervasively abused, and the continued issuance of these certificates poses a danger to the web by bestowing legitimacy to phishing sites. Let’s Encrypt can address this without impacting its users or its mission.
That’s it. That’s all we’re asking. Now you may be thinking, wait, isn’t this content filtering?
As other CAs implement it, filtering involves complicated blacklists, submissions to multiple reputation and spam services, manual review processes, and a constant whack-a-mole game figuring out what misspelling or homonym the phishers are using this week.
There is no way for Let’s Encrypt to implement similar measures without it compromising its mission or incurring large costs in developing, maintaining, and reviewing such measures. I think it is unfair to ask for that.
Instead, simply blocking “PayPal” (and literally just “PayPal,” no variations or misspellings) is an easy, feasible, and effective measure against the most dangerous and malicious use of Let’s Encrypt certificates.
When Eric published his post, Let’s Encrypt had issued 709 certificates containing “PayPal.” Now that number is 988.
988 Let’s Encrypt PayPal certificates.
Here is an example of one of these phishing sites:
Can you honestly say this could not trick an everyday user? What about an educated user? What about you?
Some internet users “look for the lock” as an indicator to tell if a site is legitimate – this was common advice when CAs were hard on phishing. Even Google was giving this advice as recently as last month (to its credit, the company fixed this once it was pointed out). While there is good reason not to teach users this anymore, it’s already a learned behavior for some. Now that Google Chrome displays “Secure” next to the padlock for all HTTPS connection, the risk of associating HTTPS with legitimacy is higher than ever.
Paypal is one of the most common targets for phishing due to its popularity across the world, especially in developed countries. The better that phishers can imitate the real PayPal.com site, the more effective their schemes can be. Having “PayPal” spelled correctly in the domain name combined with the browser indicators of HTTPS – made possible with a Let’s Encrypt PayPal certificate – helps create the best imitations.
Let’s Encrypt PayPal Phishing, A Unique Threat
Let’s Encrypt certificates containing “PayPal” are overwhelmingly being used for phishing, and they pose a substantial and unique threat to innocent users.
Using Censys.io, which has a corpus of more than 40 million publicly-trusted SSL certificates, we found that prior to Let’s Encrypt there was not widespread issuance of phishing certificates containing the term “PayPal.” According to the Censys database, between August of 2012 and August 2016, all other CAs combined have issued 258 certificates containing “PayPal” that were likely used for phishing.
Let’s Encrypt has issued nearly four times that many, the majority of them since November 2016, which is a significantly faster rate than previously seen. If the current rate continues, the number of Let’s Encrypt PayPal certs will double to 2,000 by April.
We looked at the 988 Let’s Encrypt PayPal certificates to see how they were being used. The vast majority were phishing sites. Only 4 of the 988 appeared to be for non-malicious use (that’s less than half a percent). Three of those certificates appeared to be part of otherwise legitimate sites, but we could not determine their purpose and they were no longer being actively used. The last Let’s Encrypt PayPal certificate was being used on a staging site for testing PayPal integration.
“PayPal” certificates from Let’s Encrypt are unique in that they are a high-volume target for phishers, they are being used almost exclusively by phishers, and blocking the term is extremely unlikely to trigger false positives.
Other large brands do not satisfy these properties and could not be blocked without interfering with legitimate subscribers. For instance, “Apple” is a generic word and has lots of use unrelated to the computer company. “Google” would trigger false positives, for instance with companies offering SEO services. There seems to be no legitimate use of “BankOfAmerica” in Let’s Encrypt issued certificates, but it’s a very low-volume target with only 16 certs issued.
Most other terms fail to meet these properties as well – that’s why it is infeasible to implement a blacklist of any sort of “Alexa Top X” of domains or brands. Doing so would hurt Let’s Encrypt users.
But that is not the case for “PayPal.” Its use is almost entirely malicious, and it is worth blocking as it’s amongst the highest-volume targets for phishers. Given the term’s propensity for malicious use and the fact that PayPal gets its SSL from Symantec, there should be no more Let’s Encrypt PayPal certificates issued going forward.
The majority of these “PayPal” phishing sites are detected and blocked by services like Safe Browsing, which effectively protects users. However, they are reactive by nature and playing catch-up. No matter how quickly Google (and diligent reporters) may be able to catch them there is still a window between issuance and detection where a few people – potentially even a few dozen or hundred – can be harmed by the convincing use of SSL on a “PayPal” phishing site.
Even with “PayPal” certificates blocked, will it still be possible for SSL certificates to be used by phishing and malware sites every day? Yes, of course. We all recognize phishers will respond by using the second-best imitation for “PayPal.”
It has always been, and will continue to be possible to get variations like “PaayPal” and “PayPel” through the filters of most CAs. But these variations are less effective for phishing, and taking the best weapon out an attacker’s hands is a significant improvement in safety.
There is a future – where users have a more nuanced, or at least more accurate understanding of what the padlock icon represents. Where 2FA is widely used. Where HTTPS adoption is so widespread that browsers can flip the paradigm of security UI.
But that is the future.
Given the current state of user education, it is extremely difficult to justify the continued issuance of certificates quantifiably shown to be harmful to users. Certificates containing “PayPal” are a serious and unique threat – one which deserves attention and its own solution. That is why I hope to start a dialogue with Let’s Encrypt and discuss blocking issuance for certificates containing “PayPal.”
Blocking further issuance of these certificates will help protect users from convincing phishing scams without imposing a logistical or financial burden on Let’s Encrypt and without impacting its users.
I would like to thank Eric Lawrence, whose work inspired this article, and whose contributions improved it.