Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem

Doowon Kim, Haehyun Cho, Yonghwi Kwon, Adam Doupé, Sooel Son, Gail Joon Ahn, Tudor Dumitras

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Phishing attacks are causing substantial damage albeit extensive effort in academia and industry. Recently, a large volume of phishing attacks transit toward adopting HTTPS, leveraging TLS certificates issued from Certificate Authorities (CAs), to make the attacks more effective. In this paper, we present a comprehensive study on the security practices of CAs in the HTTPS phishing ecosystem. We focus on the CAs, critical actors under-studied in previous literature, to better understand the importance of the security practices of CAs and thwart the proliferating HTTPS phishing. In particular, we first present the current landscape and effectiveness of HTTPS phishing attacks comparing to traditional HTTP ones. Then, we conduct an empirical experiment on the CAs' security practices in terms of the issuance and revocation of the certificates. Our findings highlight serious conflicts between the expected security practices of CAs and reality, raising significant security concerns. We further validate our findings using a longitudinal dataset of abusive certificates used for real phishing attacks in the wild. We confirm that the security concerns of CAs prevail in the wild and these concerns can be one of the main contributors to the recent surge of HTTPS phishing attacks.

Original languageEnglish (US)
Title of host publicationASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery, Inc
Pages407-420
Number of pages14
ISBN (Electronic)9781450382878
DOIs
StatePublished - May 24 2021
Event16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021 - Virtual, Online, Hong Kong
Duration: Jun 7 2021Jun 11 2021

Publication series

NameASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Conference

Conference16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021
Country/TerritoryHong Kong
CityVirtual, Online
Period6/7/216/11/21

Keywords

  • CA
  • PKI
  • TLS
  • certificates
  • phishing attacks

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Information Systems
  • Software

Fingerprint

Dive into the research topics of 'Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem'. Together they form a unique fingerprint.

Cite this