[bobthedino]

Although this comment in RisqIQ's report (https://www.riskiq.com/blog/labs/magecart-british-airways-br...) is even worse - it suggests that LetsEncrypt certs are less "legitimate" than paid ones: "Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server"

[tialaramex]

After years of watching actual users, my first guesses as to why the crooks went with a "paid certificate from Comodo" would be:

1. They genuinely didn't know about Let's Encrypt

2. Learning some new stuff to get a free cert didn't seem worth it because they're not paying anyway (at corps this is often because they have a bulk deal, or there will just be a Purchase Order so it's not their personal credit card bill, for crooks it's probably someone else's money anyway)

3. Some minor technical inconvenience made doing the ACME proof of control validations tricky. For example their DNS provider doesn't implement a sane API for changing TXT records.

[LeifCarrotson]

> Learning some new stuff to get a free cert didn't seem worth it because they're not paying anyway

Even if they are paying, the ROI on spending even a single day on learning new stuff is a long, long time if you're just buying a DV cert.

[kevinwang]

Learn new thing make brain hurt though. Maybe same for crook.

[maeln]

As I remember, a lot of company didn't want to move to LE because their root certificate was not present in a lot of devices and those devices cannot or will not be patched to include it. Due to this, if you were, for example, on a old Android phone, pages with a LE cert would show as being insecure.

[tialaramex]

That's a pretty old/ crappy Android phone though, either Froyo (or older) or a Gingerbread without patches.

There are other examples, the Nintendo Wii U, Internet Explorer on old enough XP (but really old XP can't grok modern TLS anyway and so you're screwed) but we're quickly talking about the minority of a minority.

I'm sure the perception was there though.

[Zarel]

Wow, the Wii U is one? No wonder I had a bunch of Wii U users reporting my site stopped working when I started forcing HTTPS.

"Minority of a minority", maybe, but I still got around five tweets about it when it happened; more than most other changes I make.

[tialaramex]

Just to be clear, you're serious right? Because yes, the Wii U has a browser, it hasn't been updated (because the Wii U is basically abandoned at this point) and it never did trust DST Root CA X3, which is the root via which trust to Let's Encrypt was bootstrapped in older browsers. Don't happen to have links for any of those tweets do you? I'd be happy to have an actual example of a user who ran into this for real (nobody can fix it, but it's good to be reminded they exist)

[Zarel]

Yes, I'm serious, but it looks like I misremembered, because it took me forever to dig up the post (it turned out not to be on Twitter).

https://www.reddit.com/r/pokemonshowdown/comments/7eix1o/pok...

The problem wasn't just because of the HTTPS cert, but also because it didn't support WebSocket on port 8000.

[scandox]

Crap DNS not supporting CAAA records can be an issue too

[tialaramex]

Good point. Worth spelling out that your DNS doesn't need to understand CAA records, it merely needs to be able to conform to the obvious requirement that if you ask it "Hey are there CAA records for this name?" it says "No" rather than crashing, silently ignoring the question or returning an error indication.

As usual in DNS this works fine in the Free implementation your OS vendor included, shame about all the expensive proprietary choices that get this wrong for every single new record type.

[dcbadacd]

Speaking of crap DNS, OVH's webUI does not have DNS CAA support and their support claims they don't support it but their API is able to add the record and it works.

It's a pity it isn't just a TXT record.

[strictnein]

Ehhh... very few (if any?) major orgs that take credit cards use Letsencrypt. Many, many malicious actors do. It's the go to cert for securing malicious sites

A security team reviewing that baways.com site would definitely make note of the fact that it was using letsencrypt.

[strictnein]

Really not understanding the downvotes here. This isn't a judgement on letsencrypt. It's a reflection of reality.

Letsencrypt certs are widely used by malicious actors. Thus one not being used is noteworthy and why RiskIQ made note of it.

If someone who's downvoting me would like to show some examples of major websites from Fortune 100s or large international firms (like BA) using letsencrypt certs to collect payment info, then by all means, please do.