Let's Attack Let's Encrypt

Conference:  BlackHat USA 2021



The vulnerability of Let's Encrypt's distributed domain validation to off-pass attacks and the development of an off-pass downgrade attack to reduce domain validation to a single vulnerable server.
  • Let's Encrypt's distributed domain validation is vulnerable to off-pass attacks
  • Off-pass downgrade attack reduces domain validation to a single vulnerable server
  • Successful issuance of fraudulent certificates for 10 domains in data set
Let's Encrypt's domain validation, although simple, is not yet a resolved problem.


Following the recent off-path attacks against PKI, Let’sEncrypt deployed in 2020 domain validation from multiple vantage points to ensure security even against the stronger on-path MitM adversaries. The idea behind such distributed domain validation is that even if the adversary can hijack traffic of some vantage points, it will not be able to intercept traffic of all the vantage points to all the nameservers in a domain. In this work we show that two central design issues of the distributed domain validation of Let’sEncrypt make it vulnerable to downgrade attacks: (1) the vantage points are selected from a small fixed set of vantage points, and (2) the way the vantage points select the nameservers in target domains can be manipulated by a remote adversary. We develop off-path methodologies, based on these observations, to launch downgrade attacks against Let’sEncrypt. The downgrade attacks reduce the validation with `multiple vantage points to multiple nameservers', to validation with `multiple vantage points to a single attacker-selected nameserver'. Through experimental evaluations with Let’sEncrypt and the 1M-Let’sEncrypt-certified domains, we find that our off-path attacker can successfully launch downgrade attacks against more than 24.53% of the domains, rendering Let’sEncrypt to use a single nameserver for validation with them. We then develop an automated off-path attack against the `single-server'-domain validation for these 24.53% domains, to obtain fraudulent certificates for more than 107K domains, which constitute 10% of the 1M domains in our dataset.We also evaluate our attacks against other major CAs and compare the security and efforts needed to launch the attacks, to those needed to launch the attacks against Let’sEncrypt. The conclusion from the evaluations is that our downgrade attacks remove any security benefits that Let’sEncrypt has over other CAs.