I read that Let's Encrypt can be exploited by hackers. Is that true?

There is no known security vulnerability in Let's Encrypt that can be exploited. What is usually meant by hacker threat in this context is connected with the type of certificate validation. Let's Encrypt and many other paid SSLs are domain-validated only (DV). This means that in order to issue the certificate, the CA (certificate authority) only checks if the certificate requester owns the domain. If a hacker manages to acquire access (usually through phishing) to your domain account at your domain registrar, they can create subdomains of your domain and issue security certificates for ​the subdomains as if they were the owner. This is called domain shadowing and can result in misleading people that they are visiting your website while in fact it is a subdomain not related to your site at all.

A more secure type of validation is the extended validation (EV).​ With EV, the identity of the certificate requester is also checked by the CA ​in addition to the domain ownership​,​ evеn when issuing a certificate for a subdomain. At QServers we offer EV certificates as well.

Was this answer helpful?

 Print this Article

Also Read

How to Install a Let’s Encrypt SSL From Cpanel

Let’s Encrypt is a service provider that provides SSLs for your website for free. This allows you...

What is displayed by browsers for HTTPS websites using Let's Encrypt SSL?

Let's Encrypt is a trusted authority so there will be no warning messages as long as your site is...

What is Let's Encrypt?

Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public's...

I installed Let's Encrypt but my site doesn't open via https

Probably you haven't redirected your site to open through https and it defaults to http.If you...

Can I get Let's Encrypt certificates at QServers?

Yes, you can. Let's Encrypt certificates can be installed for free through the cPanel of your...