2 research outputs found
Extended Validation in the Dark Web: Evidence from Investigation of the Certification Services and Products Sold on Darknet Markets
TLS certificates fulfill two critical security functions. First, the certificate plays a key role in authenticating and verifying the identity of a host, client or application. Second, it enables the encryption of data exchanged between a client and a ser ver. To support the sensitive operation of identity verification, SSL/TLS certificates are supposed to be issued by trusted certificate authorities (CAs) who verify and check that companies are legitimate in order to reduce the risk of fraud and establish trust in a website or service.
However, in March 2019, the Evidence-Based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and Venafi released a detailed report, which offered evidence of the presence of a steady supply of SSL/TLS certificates on several darknet markets (Maimon et al. 2019). Specifically, we reported that SSL/TLS certificates are offered for sale either as part of crimeware services and products (for example, malicious websites and ransomware) or as a standalone product, at prices ranging from 1,600 (depending on the type of certificate and scope of additional services offered). In these advertisements, several vendors offered Extended Validation (EV) certificates for sale; these certificates require confirmation of the legal entity of the owner by a designated CA and are designed to confer the highest level of trust.
As a next step, we wanted to explore whether darknet vendors were able to deliver on their promise to supply EV certificates. To this end, we communicated with these vendors over various communication platforms between December 2018 and August 2019, and this report details our findings from this intensive research effort and outlines our insights.
Our findings show that the process employed by CAs to validate the true identity of companies and organizations is problematic at best and has already been outsmarted by organized crime groups that operate around the world to issue EV certificates to nonexistent retail and financial organizations
SSL/TLS Certificates and Their Prevalence on the Dark Web (First Report)
As organizations focus on the digital transformation of their businesses, the importance of encryption as the cornerstone of security and privacy is increasingly vital. In 2018, over 70 percent of internet traffic was encrypted. Experts believe that this figure is expected to rise to 80 percent in 2019 (Google, 2019). Secure Sockets Layer (SSL, an older standard) and Transport Layer Security (TLS, a newer standard) certificates are essential to encryption because they authorize all encrypted communication between machines. SSL/TLS certificates are instrumental in protecting privacy and improving security, providing each machine with a unique machine identity. They control the flow of sensitive data to authorized machines and are used in everything from website transactions and mobile devices to smart city initiatives, robots, artificial intelligence algorithms and containers in the cloud.
Despite the pivotal role encryption plays in our digital economy and across the internet, the processes needed to protect digital certificates are not well understood or widely followed. As a result, SSL/TLS certificates are often poorly protected, making them attractive targets for attackers. In fact, illegitimate access to SSL/TLS certificates has played a key role in several high-profile, high-impact breaches—such as Snowden, Sony and Equifax.
To shine a light on the availability of SSL/TLS certificates on the dark web, the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey spearheaded a research program, sponsored by Venafi. This report details the preliminary findings of the research and outlines the volume of SSL/TLS certificates for sale on the dark web, including information on how they are packaged and sold to attackers. These certificates can be used to eavesdrop on sensitive communications, spoof websites, trick consumers and steal data. The long-term goal of this research is to gain a more thorough understanding of the role SSL/TLS certificates play in the economy of the dark web as well as how they are being used by attackers.
This is the first of three reports—the first of their kind— focused on the underground SSL/TLS marketplace and its role in the wider cybercrime economy. This report will show that there is a machine identity-as-a-service marketplace on the dark web, where fraudulent TLS certificates are readily available for purchase