1. Business Ideas
  2. Business Plans
  3. Startup Basics
  4. Startup Funding
  5. Franchising
  6. Success Stories
  7. Entrepreneurs
  1. Sales & Marketing
  2. Finances
  3. Your Team
  4. Technology
  5. Social Media
  6. Security
  1. Get the Job
  2. Get Ahead
  3. Office Life
  4. Work-Life Balance
  5. Home Office
  1. Leadership
  2. Women in Business
  3. Managing
  4. Strategy
  5. Personal Growth
  1. HR Solutions
  2. Financial Solutions
  3. Marketing Solutions
  4. Security Solutions
  5. Retail Solutions
  6. SMB Solutions
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Grow Your Business Technology

Free SSL Certificates Putting Websites at Risk

Free SSL Certificates Putting Websites at Risk
Credit: bluebay/Shutterstock

Businesses that use free security certificates for their websites may want to think twice. Research by Trend Micro, a security company, has revealed that free SSL certificates may put websites at risk.

The issue came to light at Let's Encrypt, a service that began offering free SSL certificates through a beta program in December. In the short time since its launch, these certificates have already been compromised.

SSL certificates create a secure connection for websites, as indicated by the HTTPS prefix in URLs. They are critical for business websites because they ensure that all transactions and data transmissions are kept private and secure. This is particularly important for e-commerce businesses and any website that collects users' information. [Cybersecurity: A Small Business Guide]

Businesses can expect to pay anywhere from less than $10 per year to hundreds of dollars per year for SSL certificates, depending on the type of protection they require. Certificates cover everything from one domain to multiple domains and all subdomains. These costs add up, so it's understandable why many website owners would opt for a free service.

However, Trend Micro has found that hackers are using Let's Encrypt's free certificates to distribute malware through malvertising servers. Hackers take advantage of this vulnerability by hacking into trusted website domains and planting malware that gives them remote access to users' systems without their knowledge.

This allows hackers to execute a process called domain shadowing, a technique that lets them create a malicious subdomain on a trusted website, such as for the purpose of malvertising.

"In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site," Trend Micro's report stated. "The domain hosted an ad which appeared to be related to the legitimate domain to disguise its traffic."

This means websites that are hacked will unknowingly host subdomains, ads and malware. For business websites, this puts users, customers and businesses themselves at risk for a security breach.

Although the magnitude of these cyberattacks is as yet unknown, the issue is still being investigated by Trend Micro, which is awaiting a response from Let's Encrypt.

Sara Angeles

Sara is a tech writer with a background in business and marketing. After graduating from UC Irvine, she worked as a copywriter and blogger for nonprofit organizations, tech labs and lifestyle companies. She started freelancing in 2009 and joined Business News Daily in 2013. Follow Sara Angeles on Twitter @sara_angeles.