Not-for-profit certificate authority Let’s Encrypt has started issuing wildcard HTTPS certificates for free, allowing organizations with a large number of web assets to significantly simplify their certificate management.
Let’s Encrypt has been partly credited with the rapid HTTPS adoption on the web in recent years through its offering of domain certificates for free. Not only that, but the organization has developed a protocol called ACME (Automated Certificate Management Environment) that automates the ordering, installation and renewal of certificates, which greatly simplifies the process for website administrators.
Until now, Let’s Encrypt offered only hostname-based certificates, meaning that if you had two web applications hosted at app1.example.com and app2.example.com you had to obtain separate certificates for each of them. And for large organizations with tens or hundreds of internal and external apps, that could quickly become a management burden.
By comparison, a single wildcard certificate can now be issued for *.example.com and will be valid for all subdomains of example.com. Furthermore, a single wildcard certificate can hold and be valid for multiple base domains, *.example.com, *.example2.com and so on.
To get such certificates through Let’s Encrypt users will need to use an updated ACME client that supports version 2 of the protocol. Obtaining a wildcard certificate also will require DNS-based domain ownership validation, where a verification token issued by Let’s Encrypt will have to be added in a DNS TXT record for the domain.
“Existing ACME accounts from the production V1 API will work with the production V2 API,” Let’s Encrypt said in an announcement. “Authorizations held by a V1 account will not be usable in the V2 environment – you must revalidate your domains for use with ACME v2.”
The organization said that while it expects free wildcard certificates to drive HTTPS adoption even higher, it still recommends the use of non-wildcard certificates for most use cases.
That’s because the use of a single certificate for all properties could create a single point of failure. If that certificate’s private key is stolen, attackers could launch man-in-the-middle attacks against all applications, regardless of whether they’re hosted on different servers.
Companies should carefully consider the risks versus the benefits of wildcard certificates and if they decide to use them, they should make sure they have strong secure key management policies in place.
CCleaner Compromise Tied to Older ShadowPad Supply-Chain Attack
The hackers behind the attack that resulted in millions of users receiving malware-infected CCleaner updates last year are likely the same ones responsible for an earlier supply-chain compromise involving server management software.
In September, Avast learned that the infrastructure of its Piriform subsidiary had been compromised and attackers used it to deliver malicious versions of CCleaner, a popular system optimization tool, to more than 2.2 million consumers and businesses over the previous month.
A subsequent investigation revealed that the malware bundled with the rogue CCleaner installer was only a first-stage downloader that was used to deploy more sophisticated second-stage malware on 40 computers that attackers deemed interesting. Those computers belonged to well-known technology and telecommunications companies including NEC, Samsung, AsusTek Computer, Sony, Fujitsu, O2, Intel and VMware.
In an update last week, Avast researchers revealed that during their investigation they also found a malware program called ShadowPad on four Piriform computers. The malware had been installed in April, months before the actual supply-chain attack was launched.
The researchers also found an early version of the second-stage malware on the same Piriform computers and signs that a keylogger had been installed at around the same time. This led them to two conclusions: 1) The CCleaner supply-chain attack was likely perpetrated by the gang that uses ShadowPad and 2) ShadowPad was likely the three-stage malware that attackers intended to distribute to select targets who installed the rogue CCleaner version in August.
This is interesting because ShadowPad was discovered by researchers from Kaspersky Lab in a different supply-chain attack in July. That attack involved a backdoored version of an enterprise server management tool called Xmanager developed by a company called NetSarang.
ShadowPad is believed to have been created by a Chinese cyberespionage group known as Axiom, Winnti or Aurora, and other evidence exists that ties the CCleaner attack to this group. The new information comes to strengthen the suspected link, but also raises the question of whether other technology companies out there haven’t been compromised by this group in a similar way and backdoored versions of their products have remained under the radar so far.