Can a TLS Certificate Be Phishy?

Kaspar Hageman, Egon Kidmose, René Hansen, Jens Pedersen

2021

Abstract

This paper investigates the potential of using digital certificates for the detection of phishing domains. This is motivated by phishing domains that have started to abuse the (erroneous) trust of the public in browser padlock symbols, and by the large-scale adoption of the Certificate Transparency (CT) framework. This publicly accessible evidence trail of Transport Layer Security (TLS) certificates has made the TLS landscape more transparent than ever. By comparing samples of phishing, popular benign, and non-popular benign domains, we provide insight into the TLS certificates issuance behavior for phishing domains, focusing on the selection of the certificate authority, the validation level of the certificates, and the phenomenon of certificate sharing among phishing domains. Our results show that phishing domains gravitate to a relatively small selection of certificate authorities, and disproportionally to cPanel, and tend to rely on certificates with a low, and cheap, validation level. Additionally, we demonstrate that the vast majority of certificates issued for phishing domains cover more than only phishing domains. These results suggest that a more pro-active role of CAs and putting more emphasis on certificate revocation can have a crucial impact in the defense against phishing attacks.

Download


Paper Citation


in Harvard Style

Hageman K., Kidmose E., Hansen R. and Pedersen J. (2021). Can a TLS Certificate Be Phishy?. In Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT, ISBN 978-989-758-524-1, pages 38-49. DOI: 10.5220/0010516600380049


in Bibtex Style

@conference{secrypt21,
author={Kaspar Hageman and Egon Kidmose and René Hansen and Jens Pedersen},
title={Can a TLS Certificate Be Phishy?},
booktitle={Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT,},
year={2021},
pages={38-49},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010516600380049},
isbn={978-989-758-524-1},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 18th International Conference on Security and Cryptography - Volume 1: SECRYPT,
TI - Can a TLS Certificate Be Phishy?
SN - 978-989-758-524-1
AU - Hageman K.
AU - Kidmose E.
AU - Hansen R.
AU - Pedersen J.
PY - 2021
SP - 38
EP - 49
DO - 10.5220/0010516600380049