Document Type


Publication Date



As organizations focus on the digital transformation of their businesses, the importance of encryption as the cornerstone of security and privacy is increasingly vital. In 2018, over 70 percent of internet traffic was encrypted. Experts believe that this figure is expected to rise to 80 percent in 2019 (Google, 2019). Secure Sockets Layer (SSL, an older standard) and Transport Layer Security (TLS, a newer standard) certificates are essential to encryption because they authorize all encrypted communication between machines. SSL/TLS certificates are instrumental in protecting privacy and improving security, providing each machine with a unique machine identity. They control the flow of sensitive data to authorized machines and are used in everything from website transactions and mobile devices to smart city initiatives, robots, artificial intelligence algorithms and containers in the cloud.

Despite the pivotal role encryption plays in our digital economy and across the internet, the processes needed to protect digital certificates are not well understood or widely followed. As a result, SSL/TLS certificates are often poorly protected, making them attractive targets for attackers. In fact, illegitimate access to SSL/TLS certificates has played a key role in several high-profile, high-impact breaches—such as Snowden, Sony and Equifax.

To shine a light on the availability of SSL/TLS certificates on the dark web, the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey spearheaded a research program, sponsored by Venafi. This report details the preliminary findings of the research and outlines the volume of SSL/TLS certificates for sale on the dark web, including information on how they are packaged and sold to attackers. These certificates can be used to eavesdrop on sensitive communications, spoof websites, trick consumers and steal data. The long-term goal of this research is to gain a more thorough understanding of the role SSL/TLS certificates play in the economy of the dark web as well as how they are being used by attackers.

This is the first of three reports—the first of their kind— focused on the underground SSL/TLS marketplace and its role in the wider cybercrime economy. This report will show that there is a machine identity-as-a-service marketplace on the dark web, where fraudulent TLS certificates are readily available for purchase.