Free certificates for IP addresses: security problem or solution?

Free certificates for IP addresses: security problem or solution?

Let’s Encrypt has announced its issued its first certificate for an IP address. Why that’s significant deserves a little explanation.

You may have run into Let’s Encrypt certificates many times without realizing it. When you see a padlock icon in your browser’s address bar, it means the site is using a certificate to secure your connection. These certificates are “digital passports” that websites use to prove their identity and to encrypt the data sent between your browser and the website.

Traditionally, these certificates have only been issued for domain names (like malwarebytes.com). Now, Let’s Encrypt has started issuing certificates for IP addresses, which are the numerical labels (like 192.0.66.233) that computers use to find each other on the internet.

Let’s Encrypt is a very popular provider of certificates, and you can find its certificates on hundreds of millions of websites. That’s because:

  • Let’s Encrypt certificates are free.
  • Hosting companies and content delivery networks often provide Let’s Encrypt by default as a service to their customers.
  • Let’s Encrypt is a mission-driven nonprofit aiming to make the web safer and more private for everyone.

The advantages of providing certificates for IP addresses are clear. Since some browsers will refuse to open sites without a certificate, it provides a safer way to access your website if you don’t have a domain name at all. It also allows you to use your browser to remotely access home devices like network-attached storage (NAS) servers and Internet-of-things (IoT) devices.

But most home users are unlikely to access a site by using the IP address. Domain names are much easier to remember (most of them anyway) and Domain Name System (DNS) translates domain names to IP addresses for us without a lot of problems.

And while IP addresses can change, DNS will make sure that our browser can still find the domain we want to visit. This is one reason why Let’s Encrypt will only issue short-term certificates for IP addresses: The certificates will be valid for just six days, a move designed to minimize the risk window in the event of a key compromise and to encourage automated certificate renewal practices.

Domain certificates can be compromised and abused. For example, in 2011, DigiNotar, a Dutch certificate authority, was breached, resulting in the issue of at least 500 fraudulent certificates for high-profile domains such as Gmail, Facebook, and the CIA.

And while you may have never heard of this breach, it spurred some much-needed improvements in the security of our online trust infrastructure.

Here’s the problem

If I post a URL online or send it by email, there is a visible part and a part that’s actually where you will be taken. For example https://malwarebytes.com/blog">example.com will not take you to the displayed example.com, but to our blog’s landing page.

But let’s say that a cybercriminal can get a free certificate for the IP address of a server under their control, they could construct links that look like this payment provider X. Should you click that link, you could end up on a specially crafted copy of the payment provider’s site set up by the cybercriminal which asks for your login credentials. Those credentials would then fall in the hands of the criminals if you entered them.

For an unsuspecting user, who potentially might have noticed the wrong domain in the address bar, an IP address might not raise any red flags, especially since they’ll see the padlock and assume it’s legitimate. But encrypted traffic doesn’t make it trustworthy. It is encrypted between the user and the website, so the receiver can read the credentials the visitor sent them.

At the same time, Let’s Encrypt’s move supports legitimate technical needs for IP-based certificates, so the challenge will be balancing security with accessibility. Defenders should monitor certificate transparency logs for suspicious IP certificates and combine this with other threat intelligence to identify abuse.

In essence, this new capability is a double-edged sword, both offering convenience and security benefits, but also new opportunities for cybercriminals.

Tips for users

The tips are basically the same as for any unsolicited link you encounter. The difference is that you should keep in mind that these URLs can now include IP addresses.

  • Don’t click on links in unsolicited emails, messages or on social media.
  • Hover over the link. A mismatch between the displayed domain and the target URL is a red flag.
  • The padlock does not mean the website is safe. It just means the traffic between you and the site is encrypted, so nobody in between can eavesdrop.
  • Enable multi-factor authentication (MFA) so criminals will not have access to your accounts with the credentials alone.
  • Keep your device and the software on it up to date, especially your security software and your browser.
  • Use a security solution that provides active protection, including against malicious domains and IPs.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Source link