Saturday, 31 October 2015

Let's Give Encrypt Known Phishing Sites No SSL Certificate

The free SSL service Let's Encrypt, where soon everyone a free SSL certificate for their website can request, will provisionally no certificates issue to known malware and phishing sites. Let's Encrypt aims to make the entire web through an encrypted connection to let go.

Critics worry that criminals will take advantage of the initiative to ask for their phishing sites SSL certificates. This would be a legitimate feel the phishing sites because they have a "lock" in the address bar. Consumers are always told the past few years in order to check for the presence of the lock-icon. According Let's Encrypt need an SSL certificate can not be seen as a form of approval. Certificate Authorities (CA), the parties who issue SSL certificates are in fact not well equipped to engage in the fight against phishing and malware.

Players like Google and Microsoft are here as Let's Encrypt better suited because they have more visibility on the ecosystem. Users are therefore better off with the anti-phishing and anti-malware filters that offer browsers. In addition, an SSL certificate must not be seen as special, according to the free certificate authority. "HTTPS is important for almost all websites," said the organization. The presence of an SSL certificate should therefore not be seen as an exception, but should be correct standard.

To meet the concerns of critics goes Let's Encrypt temporarily use the Google Safe Browsing API. This is a database of Google consisting of all kinds of malware and phishing sites. Websites in this database will of Let's Encrypt receive a certificate. The reason for introducing this measure is that many people still find a nice idea that a certificate authority is no longer engaged in the fight against malware and phishing, says Josh Aas, director of Internet Security Research Group (ISRG). Let's Encrypt is an initiative of the ISRG.

No comments:

Post a Comment