Monday March 27, 2017

Over 15,000 Fraudulent PayPal Certificates Issued to Phishing Sites

Let's Encrypt was launched publicly in December of 2015 under the premise that websites would be encrypted and served to the end user over Transport Layer Security (TLS). The thought was that TLS would protect user data from pilfering. Many Cyber Security experts expressed fear that these free certificates would be abused as the issuance processes are automated. These fears were realized when encryption pro Vincent Lynch confirmed that 96.7% of the 15,270 security certificates including the term "Paypal" were issued to illegal phishing sites.

"Assuming that current trends continue, Let’s Encrypt will issue 20,000 additional "PayPal" certificates by the end of this year."

Personally, I feel that web browsers should stop trusting HTTPS sites simply because they are HTTPS. Thorough validation and categorization are key.