The Certificate Authority (CA) Let's Encrypt, is only in Public Beta but is already starting to be abused by criminals. In a post to its blog, Trend Micro states that a certificate - issued by Let's Encrypt - was being used by a malvertising server which targeted Japanese web users.

The ads - being displayed to users in Japan - led to sites hosting the Angler Exploit Kit which downloads a banking Trojan (BKDR_VAWTRAK.AAAFV) onto infected machines. The malvertisers were using a technique called 'domain shadowing', this is where an attacker creates subdomains under a legitimate domain name. In this case the legitimate domain name had been issued a certificate by Let's Encrypt and was consequently trusted by browsers. The subdomains created by the attackers were also trusted by browsers.

Traditionally, a certificate would be issued to a website and do two things: confirm the identity of the site owner, and encrypt the connection between the end user and the website. Let's Encrypt was born out of a need for secure connections across the Internet, traditional CAs made it much too difficult for site owners to use HTTPS on their site as they had to provide identification. Let's Encrypt can be used by site owners to quickly add HTTPS to their site without having to provide identification, unfortunately this means users can't necessarily trust the identity of a site owner if they use a Let's Encrypt certificate.

Let's Encrypt do have some measures in place, for instance they check with the Google Safe Browsing API before issuing certificates, and will reject sites which have been flagged up.

Trend Micro have informed Let's Encrypt about the certificate involved in the malvertising in the hope that Let's Encrypt will revoke it. Unfortunately, Trend Micro pointed to a statement by Let's Encrypt which states that it doesn't believe CAs should be content filters. Let's Encrypt's stance is that CAs are not in the best position to police bad actors, and that it should be left up to the Google Safe Browsing API and site owners.

Browsers indicate HTTPS websites with a green indicator in the URL bar, a possible solution that neither Trend Micro nor Let's Encrypt mention, is a two-tier system which uses different colour identifiers in the URL bar to show that both are safe, but that Let's Encrypt CAs don't trust the site owner as they've not provided proof of identity.

Source: Trend Micro | Image via Techfruit