There are tons of free SSL certificates available in the market these days. Do these free services guarantees secure environment to do the transactions?
Free SSL Certificates have already been abused by cyber criminals by taking advantage of the SSL Certificates’ system of trust. Hackers abused the system by getting SSL Certificates fake websites hosted on sub-domains apparently related to legitimate domain names. In most cases, the domain owner was unaware of the problem and wasn’t able to prevent it.
According to an article, cyber criminals were able to create a special campaign, called “malvertising campaign” which lead to a banking Trojan being downloaded and affecting the visitors’ computers. The action took place by using the “domain shadowing” technique – the attackers’ possibility to create malicious subdomains under a legitimate domain (in this case, the sub-domains were protected by a Let’s Encrypt SSL certificate). These sub-domains were pointing to a malicious server that was under the cybercriminals’ control. The problem was that Let’s Encrypt only checked the main domain, and verified if it was flagged for malware or phishing when issuing its free SSL Certificates. When they received the SSL request for the shadow subdomains, they issued a valid SSL Certificate without checking their ownership and legitimacy. Moreover, Let’s Encrypt has a policy of not revoking its free SSL Certificates because the request for an SSL Certificate “doesn’t say anything about a website’s content or who runs the website”. This makes many legitimate domain names vulnerable such incidents.