What prevents an attacker from registering a TLS certificate for an existing site?



  • This would be used in a phishing attack for example - coffee shop attack where google.com becomes a website controlled by the attacker completed with the magic lock next to the URL. Can I use letsencrypt to create a valid cert for any website that browsers will trust?



  • What prevents an attacker from registering a TLS certificate for an existing site?

    Certificates are issued by Certificate Authorities (CA's), which are inherently trusted by the major web browsers. The job of the CA is to prevent exactly what you describe in your question. They do this by validating that you own/control the domain that you are asking them to issue the certificate for. This is often done by way of Domain Validation. Typically, it requires the domain owner to do one of the following:

    • Publish a string provided by the CA at a URL at the site for the domain
    • Click a verification link sent to an administrative email address for the domain
    • Publish a string provided by the CA in the domain's DNS

    It is very much in the interests of CA's to perform this validation procedure accurately, in order to prevent issuing certificates to attackers who do not in fact own/control the domain that they are requesting a certificate for. If a CA issues a certificate to an attacker, users may no longer trust this CA, and browser could take the step of revoking their trust in this CA as well. This is what happened with DigiNotar in 2011.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2