Skip to main content
banner image
venafi logo

Are You Concerned that TLS Certificates Are Being Sold on the Dark Web?

Are You Concerned that TLS Certificates Are Being Sold on the Dark Web?

TLS Certificates Sold on the Dark Web
April 22, 2019 | Anastasios Arampatzis


Venafi recently sponsored an academic study of the availability of SSL/TLS certificates on the dark web, and their role in the cybercrime economy. The research, undertaken by researchers at the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey, uncovered thriving marketplaces for TLS certificates sold both individually and packaged with a wide range of crimeware.

Together these services deliver “machine-identities-as-a-service” to cyber criminals who wish to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data “in order to give attackers immediate access to high levels of online credibility and trust” as David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group said during the announcement of the study.


A Systemic Failure of Trust

As organizations focus on the digital transformation of their businesses, the importance of encryption as the cornerstone of security and privacy is increasingly vital. TLS certificates are essential to encryption because they authorize all encrypted communication between machines. TLS certificates are instrumental in protecting privacy and improving security, providing each machine with a unique machine identity.

Despite the pivotal role encryption plays in our digital economy and across the internet, the processes needed to protect digital certificates are not well understood or widely followed. As a result, TLS certificates are often poorly protected, making them attractive targets for attackers. If these certificates are fraudulent, compromised, forged or tampered with, they can be powerful tools for attackers to launch high profile attacks.

This is deeply related to the mechanics behind the trust model of a TLS certificate. To cut a long story short, when a browser receives a trusted TLS certificate, it follows the digital signature back to the certificate it is associated with until it eventually reaches one of the trusted roots in its trust store. As long as the certificate’s signature can be chained back to a root, the certificate is trusted. A fraudulent certificate is a trusted certificate that is associated with a site that the certificate’s owner doesn’t actually control.

More specifically, fraudulent certificates could be sold in the online underground market on the dark web to malicious parties if a trusted certificate authority is breached and private keys are stolen from it. In turn, these malicious actors could use them to move silently between trusted machines, “listen” to encrypted traffic, and escalate privileges to access sensitive data. Moreover, if the verification processes used by trusted certificate authorities to verify the identity of the requesting party can be circumvented or spoofed, malicious actors can be issued a TLS certificate that delivers the highest levels of trust, such as an EV certificate. This allows attackers to create “trustworthy” spoofed or malicious websites and encrypt the traffic between malicious servers to targeted users, making it more difficult to identify problematic behavior. It is a systemic failure of the trust model of authentication.

Must We Be Concerned?

The sale of TLS certificates on the dark web is deeply concerning, because consumers are advised by security professionals to visit credible sites using TLS certificates to complete their online purchases. Breaking the trust model proves the ingenuity of cyber criminals to make money in the competitive, yet illegal underground marketplace.

TLS certificates have actually become a weapon of choice for cyber criminals. Kevin Bocek, vice president of security and threat intelligence for Venafi, discussing this threat stated that “TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits – just like bots, ransomware and spyware. Every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cyber criminals.”

That’s very true indeed. No matter what kind of networked entity the certificate is associated with, if an external cyber attacker has unauthorized access, the consequences will be devastating. Whether the machine associated with the machine identity contains financial data or just a way into an organization’s internal communications, tremendous damage can be done to a wide variety of organizations, both private and state owned, that may go unnoticed until it is too late. Hence, TLS certificates are a precious commodity in the cybercrime ecosystem. It shouldn’t be a surprise that the rise in demand of TLS certificates comes at a period when the sale of zero-day exploits are on the decline.

“Machine Identities as a Service”

During the announcement of the study, Kevin Bocek said that these dark web services essentially deliver "machine identities as a service" to cyber criminals. TLS certificates provide each machine with a unique machine identity and are used to convey trust to website visitors and search engines. "The identities of machines are a lot more valuable, a lot more interesting and a lot more important to hackers these days. Having a machine identity as part of your attack is actually a must-have today, because the browsers have now enforced a policy that if you don't have the TLS digital certificate, then your web service, website and your attack are going to be marked as not trusted at all. No hacker wants that." added Bocek.

Authentic TLS certificates allow cyber criminals to create sites for phishing campaigns and other malicious activity that evade several web browser security measures, like HTTPS checks and safe browsing modes. Stolen certificates can be used for malware diffusion. Installation of certain types of software requires its code to be digitally signed with a trusted certificate. By stealing a digital certificate associated with a trusted vendor and signing malicious code with it, reduces the possibility that a malware will be detected as quickly. In addition, if a digital certificate is stolen, victims may suffer an identity theft and related economic implications. Finally, digital certificates are used by attackers to conduct “man-in-the-middle” attacks over the secure connections, tricking users into thinking they were on a legitimate site when in fact their TLS traffic was being secretly tampered with and intercepted.

The above examples of illicit activity explain why the researchers found the vendors on online underground markets were offering the most trusted type of machine identity, the Extended Validation (EV) certificates for U.S. and U.K. companies, for as much as $2,000, promising “to supply EV certificates from reputable and trusted certificate authorities, along with documentation for the forged companies.” EV certificates allow the attackers to create trustworthy spoofed or malicious websites and encrypt the traffic between malicious servers to targeted users, making it difficult to spot problematic behavior.

All of the above makes the finding of the study more alarming because of “how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information” as David Maimon has said.

Safeguarding digital certificates

To be honest, the sale of TLS certificates should be expected as the internet becomes more and more encrypted. It is only natural that the attackers evolve their strategies and migrate to techniques that attempt to circumvent this control. As a consequence, internet users should not trust a site only because the TLS certificate is valid, even if it is an EV certificate. As the report shows, these can also be spoofed. It is our shared responsibility to mitigate this attack vector, even if it proves difficult.

There are ways for organizations to safeguard their legitimate certificates and the best one is to ensure successful management of certificates and keys. Organizations must have visibility into each of their TLS key and certificates, and they should recourse to automation for effective management of digital certificates.

If you are not concerned about the TLS certificates being sold on the dark web, you’d better be, before it is too late.


Related posts

Like this blog? We think you will love this.
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more