Innovate. Accelerate. Win.
September 18-19 | Las Vegas and Virtual
#MIMSummit2023 Join top security leaders looking to redefine what’s possible at the must-see industry event of 2023.
There, I said it! It might sound like a weird thing to stay but stick with me on this one. We really do need more phishing sites on HTTPS, all of them, encrypt all the things, and not for the reason you might think.
The web is going HTTPS
There's no denying it, the web is moving to HTTPS at a rate faster than anything we've seen in history. My own scans of the Top 1 Million sites on the web show that not only are we continuing to adopt HTTPS, but the rate at which we're doing it is also increasing. If we want the whole web to be on HTTPS, which we do, then we need to remove the barriers to going HTTPS, mainly financial and technical barriers. Let's Encrypt managed to do both of those things successfully and we now have a free and open CA that will issue certificates to websites. When things are free and easy to get it's not just the good guys that are going to be getting them.
The HTTPS phishing thing
There's been a lot of noise in the industry recently about Let's Encrypt issuing certs to domains being used for phishing. I've written about how Let's Encrypt are enabling the bad guys, and why they should before, so you can read that for more details. The TLDR; is that if you own a domain, you get a cert for that domain. There is no 'are you a good person?', 'do you promise not to do naughty things after we give you a cert?' or any other kind of criteria. The CA needs to prove you own a domain and they issue a cert. As I say, this has blown up more recently but this has been a thing for much longer.
Up until last year COMODO were issuing a lot more phishing certs than Let's Encrypt but it hasn't really been a point of conversation until much more recently. The other interesting point here is that we know Let's Encrypt log all of their certs, where, right now, COMODO don't. When we get to April and CT logging becomes mandatory and not optional as it is now, it will be really interesting to see what happens to these numbers. I'm not going to delve into this too much, but what I am going to delve into is why we need all phishing sites on HTTPS.
Encrypt all the things
I'm going to skip over all the obvious points that we want phishing sites on HTTPS. If we want a 100% encrypted web then we need to encrypt all sites, despite whether or not you agree with what they do/say/sell/etc... 100% is 100% and it includes the 'bad guys' too. <sarcasm> Also, if you are being phished I guess you still want the same protection for your PayPal username and password despite where it's being sent, there's no point in having it exposed even further! </sarcasm> But these are not the reasons that I want to talk about today, there is another reason we want phishing sites on HTTPS and it's actually so we can find them and shut them down faster
I've spoken about Certificate Transparency before and it's an awesome new requirement coming in April 2018 that means any certificate that a CA issue has to be placed into a public log for the whole world to see. Just think about that for a second. Right now when someone registers a domain, we don't know. When they setup a domain in DNS, we don't know. When they go phishing on HTTP, we don't know. But now, when they get a certificate, we've got them! The CT logs are an awesome way to monitor for new phishing sites coming into existence by watching for them issuing new certificates!
I'm using Censys here, and there are other sites to do this, but this query shows us all the certificates out there that have the substring 'paypal' in them somewhere. If you go and look through that list you will see a whole range of domains. Some of them are quite clearly phishing sites but many of them are also legitimate, we can't assume that a simple substring match on 'paypal' automatically means phishing/bad/attackers/hostile and should therefor be banned. If you were PayPal though, imagine if you monitored these logs and saw certificates being created. Most of them have a maximum delay of 24 hours before they show up but, very often, they show up in minutes. You could see one of these certificates being issued and probably find the website before they've even finished setting it up! Once it comes online, you can see it's obviously a phishing site and you head over and submit it to SafeBrowsing. You can have it reported and blocked before the phishers have even had chance to send out their first round of emails.
Now let's compare that to HTTP, with no certificate issuance, how would you become aware of that domain targeting your customers? Do you wait for emails from them, do you wait until they've been phished and report their account has been drained of funds? Almost all of the scenarios are after something bad has happened. CT takes the current situation where phishers already exist and forces them to publicly disclose the certs they are obtaining.
With the current offering from Let's Encrypt and other CAs you have to list your subdomains in the cert too. If I want a cert it would have scotthelme.co.uk and www.scotthelme.co.uk listed in it. If I wanted a phishing cert it'd also have paypal.scotthelme.co.uk in it so we could find it with the above method. But what if I get a wildcard cert that has *.scotthelme.co.uk in it? I can now do things like paypal.scotthelme.co.uk except the 'paypal' substring match won't find the cert. This does introduce a problem and we might be back to traditional methods to find this domain but if someone has *.secure-login-provider.com and several subdomains are being used for different sites like PayPal or eBay then the domain itself is likely to get ban hammered in SafeBrowsing and not just phishing subdomain itself. You can't get wildcard certs from Let's Encrypt yet, they don't support them, but it will be interesting to see the adoption of wildcards when they do add support.
We can solve this better elsewhere
SafeBrowsing is already a proven and reliable method to neutralise phishing sites when they pop up. Finding phishing certs and then asking the CA to revoke them is also a fairly pointless exercise because revocation is broken and of course there's the obvious possibility of abuse for such a system too. What I find interesting about the argument that Let's Encrypt and other CAs shouldn't issue these certs is that people seem generally quite happy for the domain registrar to sell the domain and for the DNS providers to resolve the domain and for the browsers to then render the domain, but if a CA issues a certificate for it then there's uproar. Personally I don't quite understand the focus on cert issuance for phishing domains and think there are far better places to focus our efforts that will yield far better results too! For now, though, let's keep hoping that the phishers get themselves certificates and post their shiny new phishing domains in CT for us to find.