Online criminal actors reveals that domains with EV SSL certificates are 99.99% likely to be unassociated with bad cyber actors. CyFI studied 2.6 million domains associated with EV SSL to arrive at these results.
Today we saw new research from Georgia Tech’s Cyber Forensics Innovation (CyFI) Lab on the topic of Extended Validation (EV) SSL and online criminal actors. The CyFI lab gathered the domain names of 2.6 million EV certificates going back to 2010 and correlated them against a series of sources identifying known or suspected bad actors. These sources included domains associated with:
- Underground marketplaces and forums
- Bad actor blacklists
This research, which was made possible by a financial contribution from Sectigo, concluded that 99.99% of domains with EV certificates have no association with the bad actor domains identified above. In its research writeup, the research team says,
“…the probability that an EV SSL certificate is associated with bad domains is less than 0.00013 or less than 0.013 %. Which means that EV SSL certificates are highly unlikely to be linked to domains that are associated with underground forums and marketplaces or malware/cybercrime activities.”
As some malware for functional reasons pings popular sites that are completely independent and innocent of the malware activity, this number if anything may be pessimistic about the level of assurance an EV certificate provides. The malware list that CyFI found includes domains from Apple, Symantec, Comodo, and Citrix, by way of example. It seems highly unlikely that these companies are bad actors but rather that the malware authors choose to touch these sites for other reasons entirely.
From the 2.6 million EV domains evaluated, CyFI discovered a total of three domains with EV certificates that are associated with cyber actors actively tracked in underground marketplaces and forums and seven cyber actors associated with them. The writeup includes details of these domains and actors.
The research team writes, “We found that the probability that a domain with an EV certificate is abused or associated with cybercrime is negligible… Overall, our findings suggest that domains which invest in EV certificates are prudent with cybersecurity practices and highly unlikely to be associated with cybercrime or abuse.” The paper’s summary section adds, “We conclude that EV certificates are highly indicative of legitimate domains registered by legitimate business. Therefore, users benefit by noticing and using the browser security indicators as a guide to trust domains with EV SSL certificates.”
The CyFI team has suggested that it would like to do additional research into this topic, including differences between domains set up and owned by cyber actors and those who are somehow compromised for abuse. CyFI would also like to investigate how browsers can better use this information to communicate the level of known legitimacy for any given site to the end user in a way that enables more secure decision making.
Sectigo would like to encourage CyFI and all other academic and white hat researchers to continue to probe this topic. The company has a strong policy of working cooperatively with white hats to enable their critical contribution to overall internet security. We encourage any white hat who would like to cooperate with Sectigo to identify and fix potential exploits in our global PKI infrastructure to contact us. You can email me personally at [email protected], and we will figure out the best way to work together on this critical initiative.