Author ORCID Identifier

David Maimon is https://orcid.org/0000-0003-1492-2762

Document Type

Report

Publication Date

2020

Abstract

TLS certificates fulfill two critical security functions. First, the certificate plays a key role in authenticating and verifying the identity of a host, client or application. Second, it enables the encryption of data exchanged between a client and a ser ver. To support the sensitive operation of identity verification, SSL/TLS certificates are supposed to be issued by trusted certificate authorities (CAs) who verify and check that companies are legitimate in order to reduce the risk of fraud and establish trust in a website or service.

However, in March 2019, the Evidence-Based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and Venafi released a detailed report, which offered evidence of the presence of a steady supply of SSL/TLS certificates on several darknet markets (Maimon et al. 2019). Specifically, we reported that SSL/TLS certificates are offered for sale either as part of crimeware services and products (for example, malicious websites and ransomware) or as a standalone product, at prices ranging from $260 to $1,600 (depending on the type of certificate and scope of additional services offered). In these advertisements, several vendors offered Extended Validation (EV) certificates for sale; these certificates require confirmation of the legal entity of the owner by a designated CA and are designed to confer the highest level of trust.

As a next step, we wanted to explore whether darknet vendors were able to deliver on their promise to supply EV certificates. To this end, we communicated with these vendors over various communication platforms between December 2018 and August 2019, and this report details our findings from this intensive research effort and outlines our insights.

Our findings show that the process employed by CAs to validate the true identity of companies and organizations is problematic at best and has already been outsmarted by organized crime groups that operate around the world to issue EV certificates to nonexistent retail and financial organizations.

Download

Share

COinS