ABSTRACT
Phishing attacks are causing substantial damage albeit extensive effort in academia and industry. Recently, a large volume of phishing attacks transit toward adopting HTTPS, leveraging TLS certificates issued from Certificate Authorities (CAs), to make the attacks more effective. In this paper, we present a comprehensive study on the security practices of CAs in the HTTPS phishing ecosystem. We focus on the CAs, critical actors under-studied in previous literature, to better understand the importance of the security practices of CAs and thwart the proliferating HTTPS phishing. In particular, we first present the current landscape and effectiveness of HTTPS phishing attacks comparing to traditional HTTP ones. Then, we conduct an empirical experiment on the CAs' security practices in terms of the issuance and revocation of the certificates. Our findings highlight serious conflicts between the expected security practices of CAs and reality, raising significant security concerns. We further validate our findings using a longitudinal dataset of abusive certificates used for real phishing attacks in the wild. We confirm that the security concerns of CAs prevail in the wild and these concerns can be one of the main contributors to the recent surge of HTTPS phishing attacks.
Supplemental Material
- 1987. Domain names - implementation and specification. RFC 1035. https://doi.org/10.17487/RFC1035Google Scholar
- (Accessed on 10/12/2020). GitHub - elceef/dnstwist: Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation. https://github.com/elceef/dnstwist.Google Scholar
- (Accessed on 10/12/2020). RFC 2119: Key words for use in RFCs to Indicate Requirement Levels. https://tools.ietf.org/html/rfc2119.Google Scholar
- (Accessed on 10/14/2020). Alexa - Top sites. https://www.alexa.com/topsites.Google Scholar
- (Accessed on 10/14/2020). Cisco Umbrella 1 Million - Cisco Umbrella. https://umbrella.cisco.com/blog/cisco-umbrella-1-million.Google Scholar
- (Accessed on 10/15/2020). Anti-Phishing Working Group. https://apwg.org.Google Scholar
- (Accessed on 10/15/2020). Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. https://cabforum.org/baseline-requirements-documents/.Google Scholar
- (Accessed on 10/15/2020). Certificate Revocation Lists: Certificates Revoked per Day. https://isc.sans.edu/crls.html.Google Scholar
- (Accessed on 10/15/2020). Comodo Certification Practice Statement. https://sectigo.com/uploads/files/Sectigo-CPS-v5.1.1.pdf.Google Scholar
- (Accessed on 10/15/2020). DigiCert: Certification Practices Statement-Version 5.4,September 29, 2020). https://www.digicert.com/wp-content/uploads/2020/09/DigiCert-CPS-V.5.4.pdf .Google Scholar
- (Accessed on 10/15/2020). DigiNotar SSL certificate hack amounts to cyberwar, says expert. https://www.theguardian.com/technology/2011/sep/05/diginotar-certificate-hack-cyberwar.Google Scholar
- (Accessed on 10/15/2020). GlobalSign Certification Practice Statement. https://www.globalsign.com/en/repository/GlobalSign_CPS_v9.2_final.pdf.Google Scholar
- (Accessed on 10/15/2020). Go Daddy Certificate Policy and Certification Practice Statement (CP/CPS) -- Version 4.8, Sept. 30, 2020. https://certs.godaddy.com/repository.Google Scholar
- (Accessed on 10/15/2020). HEARTBLEED UPDATE (V3). https://blogs.akamai.com/2014/04/heartbleed-update-v3.html.Google Scholar
- (Accessed on 10/15/2020). Internet Crime Complaint Center (IC3) | Cyber Actors Exploit 'Secure' Websites In Phishing Campaigns. https://www.ic3.gov/Media/Y2019/PSA190610.Google Scholar
- (Accessed on 10/15/2020). Internet Security Research Group (ISRG) Certification Practice Statement-v2.9. https://letsencrypt.org/documents/isrg-cps-v2.9/.Google Scholar
- (Accessed on 10/15/2020). Majestic Million - Majestic. https://majestic.com/reports/majestic-million.Google Scholar
- (Accessed on 10/15/2020). More Than Half of Phishing Sites Now Use HTTPS. https://info.phishlabs.com/blog/more-than-half-of-phishing-sites-use-https.Google Scholar
- (Accessed on 10/15/2020). Phishing Schemes Are Using HTTPS Encrypted Sites to Seem Legit | WIRED. https://www.wired.com/story/phishing-schemes-use-encrypted-sites-to-seem-legit/.Google Scholar
- (Accessed on 10/15/2020). The Results of the Cloud Flare Challenge. https://blog.cloudflare.com/the-results-of-the-cloudflare-challenge.Google Scholar
- (Accessed on 10/15/2020). Sectigo Certification Practice Statement-CPS Version 5.2.2, September 30, 2020. https://sectigo.com/uploads/files/Sectigo-CPS-v5_2_2.pdf .Google Scholar
- (Accessed on 10/16/2020). VirusTotal. https://www.virustotal.com/gui/.Google Scholar
- (Accessed on 10/30.2020). Anti-Phishing Working Group: APWG Trends Report Q22020. https://docs.apwg.org/reports/apwg_trends_report_q2_2020.pdf .Google Scholar
- (accessed September 14, 2020). APWG eCrime Exchange. https://apwg.org/ecx/.Google Scholar
- Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J Alex Halderman, Jacob Hoffman-Andrews, James Kasten, Eric Rescorla, et al. 2019. Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2473--2487.Google ScholarDigital Library
- Pieter Agten, Wouter Joosen, Frank Piessens, and Nick Nikiforakis. 2015. Seven months' worth of mistakes: A longitudinal study of typo squatting abuse. In Proceedings of the 22nd Network and Distributed System Security Symposium(NDSS 2015). Internet Society.Google Scholar
- R. Barnes, J. Hoffman-Andrews, D. McCarney, and J. Kasten. 2019. Automatic Certificate Management Environment (ACME). RFC 8555. RFC Editor.Google Scholar
- D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. 2008. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List(CRL) Profile. RFC 5280. RFC Editor. http://www.rfc-editor.org/rfc/rfc5280.txt http://www.rfc-editor.org/rfc/rfc5280.txt.Google Scholar
- Don Coppersmith. 1997. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10, 4 (1997), 233--260.Google ScholarDigital Library
- Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman. 2013. Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference (IMC '13). New York, NY, USA, 291--304.Google Scholar
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, andJ. Alex Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014Conference on Internet Measurement Conference (IMC '14). 475--488.Google ScholarDigital Library
- Adrienne Porter Felt, Robert W Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. 2016. Rethinking connection security indicators. In 12th Symposium on Usable Privacy and Security (SOUPS '16). 1--14.Google Scholar
- Google. (Accessed on 10/15/2020). Google Safe Browsing -- Google Transparency Report. https://transparencyreport.google.com/safe-browsing/overview?hl=en.Google Scholar
- Tobias Holgers, David E. Watson, and Steven D. Gribble. 2006. Cutting Through the Confusion: A Measurement Study of Homograph Attacks. In Proceedings of the Annual Conference on USENIX '06 Annual Technical Conference (ATEC '06). USENIX Association, Berkeley, CA, USA, 24--24.Google Scholar
- Doowon Kim, Bum Jun Kwon, Kristián Kozák, Christopher Gates, and Tudor Dumitras. 2018. The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PKI. In27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 851--868.Google Scholar
- Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, RosaRomero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 569--586.Google ScholarDigital Library
- Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in plain sight: A longitudinal study of combo squatting abuse. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 569--586.Google ScholarDigital Library
- Katharina Krombholz, Karoline Busse, Katharina Pfeffer, Matthew Smith, and Emanuel von Zezschwitz. 2019. "If HTTPS Were Secure, I Wouldn't Need 2FA"-End User and Administrator Mental Models of HTTPS. IEEE Security & Privacy(2019).Google Scholar
- Deepak Kumar, Zhengping Wang, Matthew Hyder, Joseph Dickinson, Gabrielle Beck, David Adrian, Joshua Mason, Zakir Durumeric, J Alex Halderman, and Michael Bailey. 2018. Tracking certificate misissuance in the wild. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 785--798.Google ScholarCross Ref
- B. Laurie, A. Langley, and E. Kasper. 2013.Certificate Transparency. RFC 6962. RFC Editor.Google Scholar
- Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Aaron Schulman, and Christo Wilson. 2015. An end-to-end measurement of certificate revocation in the web's PKI. In Proceedings of the 2015 Internet Measurement Conference. ACM, 183--196.Google ScholarDigital Library
- M. Lochter and J. Merkle. 2010. Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. RFC 5639. RFC Editor.Google Scholar
- Zane Ma, Joshua Reynolds, Joseph Dickinson, Kaishen Wang, Taylor Judd,Joseph D Barnes, Joshua Mason, and Michael Bailey. 2019. The impact of secure transport protocols on phishing efficacy. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19).Google ScholarDigital Library
- Trend Micro. 2019. Security News: HTTPS Protocol Now Used in 58% of Phishing Websites. https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/https-protocol-now-used-in-58-of-phishing-websites. (Accessed on 10/15/2020).Google Scholar
- Tyler Moore and Richard Clayton. 2007. Examining the impact of website take-down on phishing. In Proceedings of the anti-phishing working groups 2nd annual Crime researchers summit. 1--13.Google ScholarDigital Library
- Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2013. Bitsquatting: Exploiting Bit-flips for Fun, or Profit?. In Proceedings of the 22Nd International Conference on World Wide Web(WWW '13). ACM, New York, NY, USA, 989--998.Google ScholarDigital Library
- Adam Oest, Yeganeh Safaei, Adam Doupe, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers. 2019. PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1344--1361.Google ScholarCross Ref
- Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. 2020. Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20).Google Scholar
- Federal Bureau of Investigation. (Accessed on 10/14/2020). 2019 Internet Crime Report. https://pdf.ic3.gov/2019_IC3Report.pdf.Google Scholar
- Peng Peng, Chao Xu, Luke Quinn, Hang Hu, Bimal Viswanath, and Gang Wang. 2019. What Happens After You Leak Your Password: Understanding Credential Sharing on Phishing Sites. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS '19). New York, NY, USA, 12.Google ScholarDigital Library
- Richard Roberts, Yaelle Goldschlag, Rachel Walter, Taejoong Chung, Alan Mislove, and Dave Levin. 2019. You are who you appear to be: a longitudinal study of domain impersonation in TLS certificates. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2489--2504.Google ScholarDigital Library
- Scott Ruoti, Tyler Monson, Justin Wu, Daniel Zappala, and Kent Seamons. 2017.Weighing context and trade-offs: How suburban adults selected their online security posture. In 13th Symposium on Usable Privacy and Security (SOUPS '17).Google Scholar
- S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. 2013.X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960. RFC Editor. http://www.rfc-editor.org/rfc/rfc6960.txt http://www.rfc-editor.org/rfc/rfc6960.txt.Google Scholar
- Quirin Scheitle, Oliver Gasser, Theodor Nolte, Johanna Amann, Lexi Brent, Georg Carle, Ralph Holz, Thomas C Schmidt, and Matthias Wählisch. 2018. The rise of certificate transparency and its implications on the Internet ecosystem. In Proceedings of the Internet Measurement Conference 2018. 343--349.Google Scholar
- Christopher Thompson, Martin Shelton, Emily Stark, Maximilian Walker, Emily Schechter, and Adrienne Porter Felt. 2019. The web's identity crisis: under-standing the effectiveness of website identity indicators. In 28th USENIX Security Symposium (USENIX Security 19). 1715--1732.Google Scholar
- Ke Tian, Steve T. K. Jan, Hang Hu, Danfeng Yao, and Gang Wang. 2018. Needle in a Haystack: Tracking Down Elite Phishing Domains in the Wild. In Proceedings of the Internet Measurement Conference 2018 (IMC '18). New York, NY, USA, 429--442.Google ScholarDigital Library
- Benjamin Vander Sloot, Johanna Amann, Matthew Bernhard, Zakir Durumeric, Michael Bailey, and J Alex Halderman. [n.d.]. Towards a complete view of the certificate ecosystem. In Proceedings of the 2016 Internet Measurement Conference(IMC '16).Google Scholar
- Michael J Wiener. 1990. Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information theory 36, 3 (1990), 553--558.Google ScholarDigital Library
- Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, and Stefan Savage.2009. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement (IMC '09). ACM, New York, NY, USA, 15--27.Google Scholar
- Liang Zhang, David Choffnes, Dave Levin, Tudor Dumitra?, Alan Mislove, Aaron Schulman, and Christo Wilson. 2014. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference. ACM, 489--502.Google ScholarDigital Library
- Penghui Zhang, Adam Oest, Haehyun Cho, RC Johnson, Brad Wardman, Shaown Sarker, Alexandros Kpravelos, Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, Adam Doupé, and Gail-Joon Ahn. 2021. CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing. In Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.Google ScholarCross Ref
Index Terms
- Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem
Recommendations
Analysis of the HTTPS certificate ecosystem
IMC '13: Proceedings of the 2013 conference on Internet measurement conferenceWe report the results of a large-scale measurement study of the HTTPS certificate ecosystem---the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, ...
An End-to-End Measurement of Certificate Revocation in the Web's PKI
IMC '15: Proceedings of the 2015 Internet Measurement ConferenceCritical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which ...
EVLA: Extended-Validation Certificates with Location Assurance
BSCI '19: Proceedings of the 2019 ACM International Symposium on Blockchain and Secure Critical InfrastructureTransport Layer Security (TLS) is a de facto standard for secure communication over the Internet and other critical infrastructures. The trust model deployed in the TLS is based on digital certificates which contain signed assertions on bindings between ...
Comments