Skip to main content
banner image
venafi logo

Are Your TLS Certificates Being Sold on the Dark Web?

Are Your TLS Certificates Being Sold on the Dark Web?

Man staring at a computer screen with lines of code on it, in a dimly lit room
April 18, 2019 | Guest Blogger: Kim Crawley

Your TLS certificates, like all of your machine identities, are very precious and very sensitive keys. I live in a large city, so if I lose the physical key to my apartment’s front door, there’s no clue on my key as to which street address’ door it unlocks. I’d have to make an embarrassing phone call to my landlord, but at least the odds of a burglar breaking into my home with it are exceedingly slim.


The same cannot be said for TLS certificates. Your TLS certificates contain information which can be used to spoof the machines they’re associated with. And it doesn’t matter what kind of networked entity the certificate is associated with, if an external cyber attacker has unauthorized access, the consequences will be devastating. Whether the machine associated with the machine identity contains financial data or just a way into your workplace’s internal communications, tremendous damage can be done that you may not notice until it’s too late.

Cyber attackers know this all too well and they see an opportunity. Some will acquire TLS certificates and see that other cyber attackers on the Dark Web are willing to pay top dollar, or rather top Bitcoin for them. Other cyber attackers think paying the equivalent of a few hundred dollars for a bunch of certificates is a worthwhile investment, because the cybercrime they can commit with them could make them at least thousands.

How Prevalent is TLS Trafficking on the Dark Web?

Venafi has sponsored some extensive research into this worrisome and growing cybersecurity problem. The research was conducted by the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey, featuring the work of David Maimon,Yubao Wu, Michael McGuire, Nicholas Stubler, and Zijie Qiu. The objective of the study was to find how extensive TLS certificate trafficking is on the Dark Web, and how those sensitive machine identities are packaged and sold to cyber attackers. Their findings are very concerning, and every organization which uses certificates must know about them.

Here are some of the findings which really grabbed my attention.

TLS Fun Packs

TLS certificates aren’t always sold on their own. Often they are packaged in bundles with other crimeware, such as ransomware and kits for making phishing websites. Don’t tell me you’d buy that TV informercial’s food processor if they didn’t throw in a set of Japanese kitchen knives and an avocado cutting gadget if you call right now! On a more serious note, the packaging that Dark Web market vendors do makes life much easier for cyber attackers. Now more than ever, they don’t have to work very hard to engage in cyber attacks, nor do they require l33t hacker skills these days. That spells bad news for the legitimate users of machine identities and encrypted networking.

The researchers examined Dark Web markets and forums hosted both on the Tor and on the I2P proxy networks. Some of the illicit entities that they’ve researched include Dream Market, Wall Street Market, Empire Market, Silk Road 3.1, Rapture, Tochka/Point Cannazon, CGMC, Berlusconi Market, AltBay, The Majestic Garden, Olympus, Midland City, Black Market, Cave Tor, Visibility, Dumpteam, Hidden Answers, Chan, Anongw, Anonsfw and Difracker.

More Popular than "Ransomware"

Dream Market, Wall Street Market, BlockBooth, Nightmare Market, and Galaxy3 specifically sell more TLS certificates than the other Dark Web sites the researchers looked at. All of them have easy-to-use search functionality. Searches on those five sites conducted by the researchers uncovered 2,943 mentions for “SSL” and 75 for “TLS.” For some perspective, there were only 531 mentions for “ransomware” and 161 for “zero day.” As you of course know, a zero day exploit is one that’s assumed to be unknown by the cybersecurity industry. Interestingly enough, Dream Market seems to specialize in selling TLS certificates now.

Some of the targeted extras which have been bundled by maliciously acquired TLS certificates include  after-sale support and integration with a range of legitimate payment processors such as PayPal, and “aged” domains. That could make profitable cybercrime easier than ever.

One vendor on BlockBooth has been found to claim to issue certificates from legitimate certificate authorities. If the claim is true, that’s absolutely fascinating. But it also suggests that perhaps some certificate authorities are being specifically exploited for the purposes of cybercrime.

Burgeoning Market

Illicitly acquired and sold TLS certificates aren’t as expensive as you may think. Researchers have found that they tend to be sold for the equivalent of around $260 to $1600 USD. Although pretty much everything that can be purchased from the Dark Web must be bought with cryptocurrency, my own personal research of Dark Web markets has indicated that the sites can be configured to show what the Bitcoin, Monero, or Ethereum prices are worth in US dollars, Euros, British pounds, Canadian dollars, or other major fiat currencies. Also, those prices must be irresistible to prospective cyber attackers. I occasionally spend several hundred dollars impulsively, and I’m not a wealthy woman. Crimeware and your sensitive machine identities can be relatively affordable in the grand scheme of things.

The research report concludes:

“This project provides evidence of the existence of an online underground market for TLS certificates, specifically the presence of vendors on online underground markets that are promising to issue EV certificates for US and UK companies for less than $2,000. At this point, we are not sure how large this market is, whether the quality of goods offered matches vendor listings, or which parties are interested in purchasing these commodities. However, we plan to continue our research and keep investigating this issue.”

That continued research is very necessary and I’m eager to learn what further Venafi-sponsored research will uncover in due time.


Related posts

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more