The Certificate Authority (CA) Lets Encrypt, is only in Public Beta but is already starting to be abused by criminals. In a post to its blog, Trend Micro states that a certificate - issued by Lets Encrypt - was being used by a malvertising server which targeted Japanese web users.
The ads - being displayed to users in Japan - led to sites hosting the Angler Exploit Kit which downloads a banking Trojan (BKDR_VAWTRAK.AAAFV) onto infected machines. The malvertisers were using a technique called "domain shadowing", this is where an attacker creates subdomains under a legitimate domain name. In this case the legitimate domain name had been issued a certificate by Lets Encrypt and was consequently trusted by browsers. The subdomains created by the attackers were also trusted by browsers.
Traditionally, a certificate would be issued to a website and do two things: confirm the identity of the site owner, and encrypt the connection between the end user and the website. Lets Encrypt was born out of a need for secure connections across the Internet, traditional CAs made it much too difficult for site owners to use HTTPS on their site as they had to provide identification. Lets Encrypt can be used by site owners to quickly add HTTPS to their site without having to provide identification, unfortunately this means users cant necessarily trust the identity of a site owner if they use a Lets Encrypt certificate.
Trend Micro have informed Lets Encrypt about the certificate involved in the malvertising in the hope that Lets Encrypt will revoke it. Unfortunately, Trend Micro pointed to a statement by Lets Encrypt which states that it doesnt believe CAs should be content filters. Lets Encrypts stance is that CAs are not in the best position to police bad actors, and that it should be left up to the Google Safe Browsing API and site owners.
Browsers indicate HTTPS websites with a green indicator in the URL bar, a possible solution that neither Trend Micro nor Lets Encrypt mention, is a two-tier system which uses different colour identifiers in the URL bar to show that both are safe, but that Lets Encrypt CAs dont trust the site owner as theyve not provided proof of identity.