Researchers discover technique that allows bypassing Let’s Encrypt domain validation and allows fake SSL certificates

Researcher Haya Shulman of the Fraunhofer Institute for Secure Information Technology in Germany reported the discovery of a critical vulnerability in Let’s Encrypt that would allow threat actors to evade security measures on this service and obtain digital certificates with ease.  The flaw lies in the mechanism used by Let’s Encrypt for web domain ownership validation.

As some users may know, Let’s Encrypt is a non-profit certificate authority that provides domain owners with SSL certificates for authenticating their websites over HTTPS.

The technology currently employed by Let’s Encrypt was released in February 2020 and was the organization’s response to multiple Border Gateway Protocol-based account hijacking attacks. This new technology is very useful for blocking Manipulator-in-The-Middle attacks.

Shulman and his team were able to demonstrate that this technology is vulnerable to a demotion attack due to multiple factors, mainly due to the manipulation of the way strategic points select name servers in the affected domains. Another vulnerable factor is that observation points are selected on a small set of four cloud-based systems.

The researcher’s findings were presented during her participation in Black Hat last Wednesday.

These attacks are used to trick the target system into using a specific name server by introducing high latency in connections to other validation nodes. In controlled trials, researchers found that attackers could launch attacks against nearly one in four of the domains used by Let’s Encrypt (24.5%).

Shulman also evaluated the effectiveness of these attacks against other organizations dedicated to issuing security certificates, discovering that the technology employed by Let’s Encrypt is especially vulnerable to this variant of attack.

Let’s Encrypt is the only certificate authority that uses multi-perspective validation, but the attack could also offer a means to attack validation technologies used by other organizations. The certification authority is expected to implement some mitigation measures shortly.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.