EV_Certificate

New Georgia Tech EV SSL Security Investigations: EV Domains Are 99.99% Free From Online Crime

Today we have new research from Cyber ​​Forensics Innovation (CyFI) Lab from Georgia Tech on the topic Extended Validation (EV) SSL and online criminal actors. The CyFI laboratory collected the domain names from 2.6 million EV certificates from 2010 and compared them to a number of sources that identified known or suspected bad actors. These sources included domains related to:

  • Underground marketplaces and forums
  • Bad IP blacklists
  • Malware

This investigation, carried out by a financial Contribution made possible by Sectigo revealed that 99.99% of the domains were with EV certificates have no association with the domains identified above have bad actors. In his research report says the Research Team:

‘The probability of an EV SSL certificate being associated with malicious domains is less than 0.00013 or less than 0.013%. This means that EV SSL certificates are most likely not associated with domains related to underground forums and marketplaces or malware/cybercrime activities. ‘

As some malware programmes ping popular websites for functional reasons that are completely unrelated and innocent of malware activity, this figure may be pessimistic in terms of the level of security provided by an EV certificate. For example, the malware list found by CyFI includes domains from Apple, Symantec, Comodo and Citrix. It is highly unlikely that these companies are bad actors, but that the malware authors are touching these sites entirely for other reasons.

Among the 2.6 million EV domains assessed, CyFI discovered a total of three domains with EV certificates associated with cyber actors actively tracked on underground marketplaces and forums, as well as seven cyber actors associated with them. The description provides details on these domains and actors.

The research team writes: ‘We found that the likelihood of a domain with an EV certificate being abused or associated with cybercrime is negligible compared to cybercrime or abuse. ‘The summary section of the paper adds: ’We conclude that EV certificates are highly indicative of legitimate domains registered by legitimate companies. Therefore, users will benefit from noticing and using browser security indicators as a guide to trust domains with EV SSL certificates. ‘

The CyFI team has proposed to conduct further research on this topic, including the differences between domains that have been established and owned by cyber actors and those that have been compromised due to abuse. CyFI would also like to investigate how browsers can better utilise this information to communicate to the end user the level of known legitimacy for a particular site in a way that enables safer decision making.

Sectigo would like to encourage CyFI and all other academic and white hat researchers to continue working on this topic. The company is strongly committed to working with White Hat to make a significant contribution to overall cybersecurity. We encourage any White Hat who would like to work with Secorio to identify and remediate potential exploits in our global PKI infrastructure to contact us. You can contact us personally – we will then work with Sectigo to identify the key points for collaboration.

Comments are closed.