Can a TLS certificate be phishy?

Kaspar Hageman; Egon Kidmose; René Rydhof Hansen; Jens Myrup Pedersen

doi:10.5220/0010516600380049

Can a TLS certificate be phishy?

Kaspar Hageman, Egon Kidmose, René Rydhof Hansen, Jens Myrup Pedersen

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

4 Citations (Scopus)

180 Downloads (Pure)

Abstract

This paper investigates the potential of using digital certificates for the detection of phishing domains. This i motivated by phishing domains that have started to abuse the (erroneous) trust of the public in browser padloc symbols, and by the large-scale adoption of the Certificate Transparency (CT) framework. This publicl accessible evidence trail of Transport Layer Security (TLS) certificates has made the TLS landscape mor transparent than ever. By comparing samples of phishing, popular benign, and non-popular benign domains we provide insight into the TLS certificates issuance behavior for phishing domains, focusing on the selectio of the certificate authority, the validation level of the certificates, and the phenomenon of certificate sharin among phishing domains. Our results show that phishing domains gravitate to a relatively small selection o certificate authorities, and disproportionally to cPanel, and tend to rely on certificates with a low, and cheap validation level. Additionally, we demonstrate that the vast majority of certificates issued for phishing domain cover more than only phishing domains. These results suggest that a more pro-active role of CAs and puttin more emphasis on certificate revocation can have a crucial impact in the defense against phishing attacks.

Original language	English
Title of host publication	Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021
Editors	Sabrina De Capitani di Vimercati, Pierangela Samarati
Number of pages	12
Publisher	SCITEPRESS Digital Library
Publication date	2021
Pages	38-49
ISBN (Electronic)	978-989-758-524-1
DOIs	https://doi.org/10.5220/0010516600380049
Publication status	Published - 2021
Event	18th International Conference on Security and Cryptography, SECRYPT 2021 - Virtual, Online Duration: 6 Jul 2021 → 8 Jul 2021

Conference

Conference	18th International Conference on Security and Cryptography, SECRYPT 2021
City	Virtual, Online
Period	06/07/2021 → 08/07/2021
Sponsor	Institute for Systems and Technologies of Information, Control and Communication (INSTICC)

Series	International Conference on Security and Cryptography - SECRYPT - Proceedings
ISSN	2184-7711

Bibliographical note

Funding Information:
This research is carried out under the SecDNS project, funded by Innovation Fund Denmark. We thank Cen-sys.io for sharing their CT log data with us, and we are thankful for the APWG for granting us access to their eCX platform.

Publisher Copyright:
Copyright © 2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

Keywords

Certificate Transparency
Digital Certificate
Phishing
TLS

Access to Document

10.5220/0010516600380049Licence: CC BY-NC-ND 4.0

Open Access articleFinal published version, 509 KBLicence: CC BY-NC-ND 4.0

AUB Link

Search for the material in Aalborg University Library's search engine

Cite this

Hageman, Kaspar ; Kidmose, Egon ; Hansen, René Rydhof et al. / Can a TLS certificate be phishy?. Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021. editor / Sabrina De Capitani di Vimercati ; Pierangela Samarati. SCITEPRESS Digital Library, 2021. pp. 38-49 (International Conference on Security and Cryptography - SECRYPT - Proceedings).

@inproceedings{44d6226cadd94e92a5cfc3e5b4d531e9,

title = "Can a TLS certificate be phishy?",

abstract = "This paper investigates the potential of using digital certificates for the detection of phishing domains. This i motivated by phishing domains that have started to abuse the (erroneous) trust of the public in browser padloc symbols, and by the large-scale adoption of the Certificate Transparency (CT) framework. This publicl accessible evidence trail of Transport Layer Security (TLS) certificates has made the TLS landscape mor transparent than ever. By comparing samples of phishing, popular benign, and non-popular benign domains we provide insight into the TLS certificates issuance behavior for phishing domains, focusing on the selectio of the certificate authority, the validation level of the certificates, and the phenomenon of certificate sharin among phishing domains. Our results show that phishing domains gravitate to a relatively small selection o certificate authorities, and disproportionally to cPanel, and tend to rely on certificates with a low, and cheap validation level. Additionally, we demonstrate that the vast majority of certificates issued for phishing domain cover more than only phishing domains. These results suggest that a more pro-active role of CAs and puttin more emphasis on certificate revocation can have a crucial impact in the defense against phishing attacks.",

keywords = "Certificate Transparency, Digital Certificate, Phishing, TLS",

author = "Kaspar Hageman and Egon Kidmose and Hansen, {Ren{\'e} Rydhof} and Pedersen, {Jens Myrup}",

note = "Funding Information: This research is carried out under the SecDNS project, funded by Innovation Fund Denmark. We thank Cen-sys.io for sharing their CT log data with us, and we are thankful for the APWG for granting us access to their eCX platform. Publisher Copyright: Copyright {\textcopyright} 2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved; 18th International Conference on Security and Cryptography, SECRYPT 2021 ; Conference date: 06-07-2021 Through 08-07-2021",

year = "2021",

doi = "10.5220/0010516600380049",

language = "English",

series = "International Conference on Security and Cryptography - SECRYPT - Proceedings",

publisher = "SCITEPRESS Digital Library",

pages = "38--49",

editor = "{di Vimercati}, {Sabrina De Capitani} and Pierangela Samarati",

booktitle = "Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021",

}

Hageman, K, Kidmose, E, Hansen, RR & Pedersen, JM 2021, Can a TLS certificate be phishy? in SDC di Vimercati & P Samarati (eds), Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021. SCITEPRESS Digital Library, International Conference on Security and Cryptography - SECRYPT - Proceedings, pp. 38-49, 18th International Conference on Security and Cryptography, SECRYPT 2021, Virtual, Online, 06/07/2021. https://doi.org/10.5220/0010516600380049

Can a TLS certificate be phishy? / Hageman, Kaspar; Kidmose, Egon; Hansen, René Rydhof et al.
Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021. ed. / Sabrina De Capitani di Vimercati; Pierangela Samarati. SCITEPRESS Digital Library, 2021. p. 38-49 (International Conference on Security and Cryptography - SECRYPT - Proceedings).

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review