User Avatar

John Tanner

1y ago

Business Analyst | Stroke Survivor | Digital Writer. Reviewing lessons from my recovery and career in manufacturing, finance & IT to discover processes improvements.

How SSL encrypts Wordpress data and Abuse of hidden "Acme-challenge" directory for Ransomeware Hackers
John Tanner

When people interact with websites to buying something or enter their details, that personal information needs to be encrypted when transmitted between computers. The data is encrypted once the website administrator has obtained an SSL digital certificate authenticating the business.

SSL certificates are automatically obtained by running a certificate management agent on the web server, issued by Let's Encrypt, who authenticate the domain through the ACME Protocol and domain validation by issuing a set of challenges and the 'well-known' and 'acme-challenge' directories are created specifically to store these validation files.

Let’s Encrypt's Certificate Management Agent Process 

  1. Generating a new key pair proves to Let’s Encrypt that the server controls the domain.

  2. The agent asks Let’s Encrypt for a challenge to prove that it controls the domain name

  3. Let’s Encrypt issue one or more challenge. Example: Provisioning a DNS record under yourdomain.com, or Provisioning an HTTP resource under a well-known URI on http://yourdomain.com/

  4. Let’s Encrypt provides a nonce that the agent must sign with its private key pair to prove that it controls the key pair.

  5. The agent software completes the challenge and creates unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority that they control the domain.acme-challenge direcory on the domain site.

  6. Let's encrypt check that the challenges have been satisfied and verifies the signature on the nonce, downloading the file from the web server to verify content.

Click here to learn technical details about this validation

It has been reported that hackers are targeting the "well-known" hidden directory on HTTPS websites to store and distributing Shade ransomware and phishing pages.


The attackers use these locations to hide malware and phishing pages from the website administrators. The tactic is works because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site.

Made with Typeshare.co

The all-in-one writing platform.

Write, publish everywhere, see what works, and become a better writer - all in one place.

Trusted by 80,000+ writers