There is no known security vulnerability in Let's Encrypt that can be exploited. What is usually meant by hacker threat in this context relates to the type of certificate validation. Let's Encrypt and many other paid SSLs are domain-validated only (DV). This means that in order to issue the certificate, the CA (certificate authority) only checks if the certificate requester owns the domain. If a hacker manages to acquire access (usually through phishing) to your domain account at your domain registrar, they can create subdomains of your domain and issue security certificates for the subdomains as if they were the owner. This is called domain shadowing and can result in misleading people that they are visiting your website while in fact, it is a subdomain not related to your site at all.
- 0 Users Found This Useful