Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem

Doowon Kim; Haehyun Cho; Yonghwi Kwon; Adam Doupé; Sooel Son; Gail Joon Ahn; Tudor Dumitras

doi:10.1145/3433210.3453100

Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem

Doowon Kim, Haehyun Cho, Yonghwi Kwon, Adam Doupé, Sooel Son, Gail Joon Ahn, Tudor Dumitras

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

Phishing attacks are causing substantial damage albeit extensive effort in academia and industry. Recently, a large volume of phishing attacks transit toward adopting HTTPS, leveraging TLS certificates issued from Certificate Authorities (CAs), to make the attacks more effective. In this paper, we present a comprehensive study on the security practices of CAs in the HTTPS phishing ecosystem. We focus on the CAs, critical actors under-studied in previous literature, to better understand the importance of the security practices of CAs and thwart the proliferating HTTPS phishing. In particular, we first present the current landscape and effectiveness of HTTPS phishing attacks comparing to traditional HTTP ones. Then, we conduct an empirical experiment on the CAs' security practices in terms of the issuance and revocation of the certificates. Our findings highlight serious conflicts between the expected security practices of CAs and reality, raising significant security concerns. We further validate our findings using a longitudinal dataset of abusive certificates used for real phishing attacks in the wild. We confirm that the security concerns of CAs prevail in the wild and these concerns can be one of the main contributors to the recent surge of HTTPS phishing attacks.

Original language	English (US)
Title of host publication	ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
Publisher	Association for Computing Machinery, Inc
Pages	407-420
Number of pages	14
ISBN (Electronic)	9781450382878
DOIs	https://doi.org/10.1145/3433210.3453100
State	Published - May 24 2021
Event	16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021 - Virtual, Online, Hong Kong Duration: Jun 7 2021 → Jun 11 2021

Publication series

Name	ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Conference

Conference	16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021
Country/Territory	Hong Kong
City	Virtual, Online
Period	6/7/21 → 6/11/21

Keywords

CA
PKI
TLS
certificates
phishing attacks

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications
Information Systems
Software

Access to Document

10.1145/3433210.3453100

Cite this

Kim, D., Cho, H., Kwon, Y., Doupé, A., Son, S., Ahn, G. J., & Dumitras, T. (2021). Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem. In ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (pp. 407-420). (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3433210.3453100

Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem. / Kim, Doowon; Cho, Haehyun; Kwon, Yonghwi et al.
ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2021. p. 407-420 (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kim, D, Cho, H, Kwon, Y, Doupé, A, Son, S, Ahn, GJ & Dumitras, T 2021, Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem. in ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 407-420, 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021, Virtual, Online, Hong Kong, 6/7/21. https://doi.org/10.1145/3433210.3453100

Kim D, Cho H, Kwon Y, Doupé A, Son S, Ahn GJ et al. Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem. In ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2021. p. 407-420. (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security). doi: 10.1145/3433210.3453100

Kim, Doowon ; Cho, Haehyun ; Kwon, Yonghwi et al. / Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem. ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2021. pp. 407-420 (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security).

@inproceedings{8b95c88316a44b9aab182092bc08484c,

title = "Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem",

abstract = "Phishing attacks are causing substantial damage albeit extensive effort in academia and industry. Recently, a large volume of phishing attacks transit toward adopting HTTPS, leveraging TLS certificates issued from Certificate Authorities (CAs), to make the attacks more effective. In this paper, we present a comprehensive study on the security practices of CAs in the HTTPS phishing ecosystem. We focus on the CAs, critical actors under-studied in previous literature, to better understand the importance of the security practices of CAs and thwart the proliferating HTTPS phishing. In particular, we first present the current landscape and effectiveness of HTTPS phishing attacks comparing to traditional HTTP ones. Then, we conduct an empirical experiment on the CAs' security practices in terms of the issuance and revocation of the certificates. Our findings highlight serious conflicts between the expected security practices of CAs and reality, raising significant security concerns. We further validate our findings using a longitudinal dataset of abusive certificates used for real phishing attacks in the wild. We confirm that the security concerns of CAs prevail in the wild and these concerns can be one of the main contributors to the recent surge of HTTPS phishing attacks.",

keywords = "CA, PKI, TLS, certificates, phishing attacks",

author = "Doowon Kim and Haehyun Cho and Yonghwi Kwon and Adam Doup{\'e} and Sooel Son and Ahn, {Gail Joon} and Tudor Dumitras",

note = "Funding Information: We thank the anonymous referees for their constructive feedback. We also thank Adam Oest for his support in this study, and particularly for his contribution to the data collection and the analysis. The authors gratefully acknowledge the support of National Science Foundation (Grants No. CNS-1916499, CNS-1850392, CNS-1703644, CNS-1651661, and OAC-1908021), Defense Advanced Research Projects Agency (Grant No. HR001118C0060 and FA875019C 0003), National Research Foundation of Korea (Grant No. NRF-2020R1C1C1009031), and the Institute for Information & communications Technology Promotion (Grant No. 2017-0-00168). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor. Publisher Copyright: {\textcopyright} 2021 ACM.; 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021 ; Conference date: 07-06-2021 Through 11-06-2021",

year = "2021",

month = may,

day = "24",

doi = "10.1145/3433210.3453100",

language = "English (US)",

series = "ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "407--420",

booktitle = "ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security",

}

TY - GEN

T1 - Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem

AU - Kim, Doowon

AU - Cho, Haehyun

AU - Kwon, Yonghwi

AU - Doupé, Adam

AU - Son, Sooel

AU - Ahn, Gail Joon

AU - Dumitras, Tudor

N1 - Funding Information: We thank the anonymous referees for their constructive feedback. We also thank Adam Oest for his support in this study, and particularly for his contribution to the data collection and the analysis. The authors gratefully acknowledge the support of National Science Foundation (Grants No. CNS-1916499, CNS-1850392, CNS-1703644, CNS-1651661, and OAC-1908021), Defense Advanced Research Projects Agency (Grant No. HR001118C0060 and FA875019C 0003), National Research Foundation of Korea (Grant No. NRF-2020R1C1C1009031), and the Institute for Information & communications Technology Promotion (Grant No. 2017-0-00168). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor. Publisher Copyright: © 2021 ACM.

PY - 2021/5/24

Y1 - 2021/5/24

N2 - Phishing attacks are causing substantial damage albeit extensive effort in academia and industry. Recently, a large volume of phishing attacks transit toward adopting HTTPS, leveraging TLS certificates issued from Certificate Authorities (CAs), to make the attacks more effective. In this paper, we present a comprehensive study on the security practices of CAs in the HTTPS phishing ecosystem. We focus on the CAs, critical actors under-studied in previous literature, to better understand the importance of the security practices of CAs and thwart the proliferating HTTPS phishing. In particular, we first present the current landscape and effectiveness of HTTPS phishing attacks comparing to traditional HTTP ones. Then, we conduct an empirical experiment on the CAs' security practices in terms of the issuance and revocation of the certificates. Our findings highlight serious conflicts between the expected security practices of CAs and reality, raising significant security concerns. We further validate our findings using a longitudinal dataset of abusive certificates used for real phishing attacks in the wild. We confirm that the security concerns of CAs prevail in the wild and these concerns can be one of the main contributors to the recent surge of HTTPS phishing attacks.

AB - Phishing attacks are causing substantial damage albeit extensive effort in academia and industry. Recently, a large volume of phishing attacks transit toward adopting HTTPS, leveraging TLS certificates issued from Certificate Authorities (CAs), to make the attacks more effective. In this paper, we present a comprehensive study on the security practices of CAs in the HTTPS phishing ecosystem. We focus on the CAs, critical actors under-studied in previous literature, to better understand the importance of the security practices of CAs and thwart the proliferating HTTPS phishing. In particular, we first present the current landscape and effectiveness of HTTPS phishing attacks comparing to traditional HTTP ones. Then, we conduct an empirical experiment on the CAs' security practices in terms of the issuance and revocation of the certificates. Our findings highlight serious conflicts between the expected security practices of CAs and reality, raising significant security concerns. We further validate our findings using a longitudinal dataset of abusive certificates used for real phishing attacks in the wild. We confirm that the security concerns of CAs prevail in the wild and these concerns can be one of the main contributors to the recent surge of HTTPS phishing attacks.

KW - CA

KW - PKI

KW - TLS

KW - certificates

KW - phishing attacks

UR - http://www.scopus.com/inward/record.url?scp=85108118526&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85108118526&partnerID=8YFLogxK

U2 - 10.1145/3433210.3453100

DO - 10.1145/3433210.3453100

M3 - Conference contribution

AN - SCOPUS:85108118526

T3 - ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

SP - 407

EP - 420

BT - ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

T2 - 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021

Y2 - 7 June 2021 through 11 June 2021

ER -

Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this