Home
/
Website Help
/
SSL Issues
/
I read that Let’s Encrypt can be exploited by hackers. Is that true?

I read that Let’s Encrypt can be exploited by hackers. Is that true?

There is no known security vulnerability in Let’s Encrypt that can be exploited. What is usually meant by hacker threat in this context is connected with the type of certificate validation. Let’s Encrypt and many other paid SSLs are domain-validated only (DV). This means that in order to issue the certificate, the CA (Certificate Authority) only checks if the certificate requester owns the domain. If a hacker manages to acquire access (usually through phishing) to your domain account at your domain registrar, they can create subdomains of your domain and issue security certificates for ​the subdomains as if they were the owner. This is called domain shadowing and can result in misleading people that they are visiting your website while in fact, it is a subdomain not related to your site at all.

A more secure type of validation is the extended validation (EV).​ With EV, the identity of the certificate requester is also checked by the CA ​in addition to the domain ownership,​ even when issuing a certificate for a subdomain.

How to secure your WordPress website? (video tutorial)

Share This Article