I've heard Let’s Encrypt can be exploited by hackers. Is that true?

There is no known security vulnerability in Let’s Encrypt that can be exploited. What is usually meant by hacker threat in this context is connected with the type of certificate validation. Let’s Encrypt, and many other paid SSLs are domain-validated only (DV). This means that to issue the certificate, the CA (certificate authority) only checks if the certificate requester owns the domain. If a hacker manages to acquire access (usually through phishing) to your domain account at your domain registrar, they can create subdomains of your domain and issue security certificates for ​the subdomains as if they were the owner. This is called domain shadowing and can result in misleading people that they are visiting your website while, in fact, it is a subdomain not related to ​your site at all.

A more secure type of validation is the extended validation (EV).​ With EV, the identity of the certificate requester is also checked by the CA ​in addition to the domain ownership​,​ even when issuing a certificate for a subdomain.

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.