A malvertising campaign has been using a free digital certificate it acquired from certificate authority, Let’s Encrypt. The cybercriminals had compromised a legitimate website and set up a subdomain that led to a server under their control, wrote Joseph Chen, a fraud researcher with Trend. Brian Spector, CEO of MIRACL have the following comments on this issue.
[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of MIRACL :
“Let’s Encrypt has its heart in the right place. The intention to make certificates free so that transport encryption, i.e. TLS, could become ubiquitous on the Internet is the right idea.
Using PKI based TLS is the problem because PKI as a technology, and the commercial certificate market as an industry, is so inherently broken.
Many people will think Let’s Encrypt are exacerbating the issue of rouge certificates an order of magnitude with their refusal to not revoke issued certificates that are known to be used by criminals in malware that targets individuals.
Indeed, they are making the problem of issued rouge certificates worse because Let’s Encrypt will issue a certificate to anyone.
But the dirty secret that Let’s Encrypt knows that everyone needs to be aware of is this: Certificate revocation on the public Internet doesn’t work anyway, that’s why Let’s Encrypt certificates are only good for 90 days. Because the current revocation mechanisms are so broken, why even build it in?
If certificate revocation, one of the core underlying principals of certificate issuing and management, is so fundamentally broken that Let’s Encrypt doesn’t bother to even attempt to build this capability into their Certificate Authority, then what hope does PKI have of securing the Internet?
It’s time to move the Internet past reliance on PKI for TLS, VPN’s and authentication.
PKI needs to be replaced with Distributed Trust Authority system that doesn’t rely on a monolithic trust authority and combine trust from a multitude of providers, and to use cryptographic protocols like identity based cryptography to move the industry off 40 year old technology like PKI.
New open source projects are seeking to do just this, and it’s about time the major Internet names get behind these initiatives, instead of seeking to prop up technology like PKI that insecure, dangerous and past its sell by date.”[/su_note]
[su_box title=”About MIRACL” style=”noise” box_color=”#336588″]
[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.