Root Causes 78: Extended Validation Certificates and the Dark Web

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So, what we want to talk about today is there was a research paper presented on stage at RSA 2020 and, obviously everyone got distracted with current events after RSA. That was sort of the end of the old era and so, you know, we had to talk about a bunch of other very pressing topics, but this is timely and we wanted to cover it. The research paper - - the paper is called the Modus Operandi of EV Certificate Fraudsters -Findings from the Field and it's, uh, presented from a professor from Georgia State University. They have a cybersecurity research group and the professor is Dr. David Maimon. I don't know if I'm pronouncing that right, Dave. Sorry, if I'm mutilating your name. It's M-a-i-m-o-n. And, I just thought today we should go over what this paper says and, you know, explain it for our audience.

• 

  Jason Soroko

  Well, thanks, Tim. That's great. I didn't get a chance to go to RSA this year. So, you're catching me up. You and some other people, too. It was a lightly attended show and unfortunately, I couldn't attend the actual session, but I managed to get the results and I did have a phone conversation with him about this research last year. So, I think I can represent it pretty fairly. So, what the Georgia State University group did was they basically went and got identities to join known online criminal marketplaces. The people - - the places where people get together to trade stolen credit card numbers and, you know, source code, crack source code and phishing kits and things along those lines. Basically, the places where people go to buy and sell commercial criminal cyber-attack wares, if you will. And they were looking for the ability to purchase certificates, valid certificates that were validly issued from public CAs on trusted roots on these online marketplaces. And what they found was that this is a thing that you're able to do. They acquired - - it looks like they acquired two or three certificates to prove the concept and they did acquire extended validation certificates as well. So, we should explain how this is done because I think it's important in order to understand the way the attack, if you wanted to call it an attack, but the way the process works. And how this is done is if you commission one of these certificates, then what happens is the party that's selling them goes out and creates a business entity. So, they legally register a business. They go through the business registration process and then when they have a real business, they go get a certificate for that business and then they deliver the business and the certificate together to the purchaser so that the purchaser owns a real business with a real business name and they have an EV certificate for that business, for the domain name that they want to use.

  Wow, Tim. So, you know, I can tell you in the jurisdiction where I live, it really wouldn't be feasible or not even close because of the expenses involved with doing some of what you just said. So, was there something in the paper that explains the ease, the lack of friction, lack of cost.

• 

  Tim Callan

  So, the geographies they're using. Well, the lack of costs, it's not cheap. So, the paper suggests that these things run from $1,000 to $14,000 per certificate. So, that is not cheap. And that's probably a pretty healthy markup for the people who are doing it because it's not that expensive to register a business. I've registered a number of them in my life and, you know, it's like a hundred bucks or something. And then the certificate isn't that expensive either. And if you're charging $14,000 and your total out-of-pocket is maybe 500 bucks like that's a nice business. So, I think a lot of what these criminals are paying for is somebody just knowing how to do it and somebody being able to go through the process and they have got the process well understood and they can run through it really, really well, but, you know, it's not horribly hard to create a business. And when you create a business, then you can get a certificate for that business because you have a business and then what they turn around is they just deliver all of that to somebody else who presumably based on where they're hanging out is planning on using that for some kind of nefarious purpose, because otherwise, why are they hanging out there? And so, they're actually reasonably expensive and, at the end of the day, what they're getting, and this is a very important point is, they are getting a cert that was validly issued to a real business that had not been involved in anything, fraudulent or malicious, right. A business with a clean record. And then what they would do is they take that and they package the whole thing up and they give it to somebody again, who presumably wants to use it for something untoward.

• 

  Jason Soroko

  Yeah, Tim. I can see that. It’s an interesting research, uh, boy, you know, I remember not that long ago, looking myself into various aspects of the underground economy and I guess this was just another inevitable outcome of that.

• 

  Tim Callan

  And so, you know, there's some important things to understand. Like, what can you get this way? You can get a green address bar, right? You can get an EV cert that's trusted, that’s in the major browsers, that's in the major browsers’ root stores. Now what you can get is you can't go out and get an EV cert that is registered against any attack of your choice. So, if I really wanted to get an EV cert for Citibank, I don't think you can do that this way. There is nothing in this research that indicates that you can. So, we got to understand the limits of it, right? It's easy to look at the headline and say, oh my God, someone's going to go get an EV cert for Citibank. I don't believe this attack gets you there. I think what it does is it gets you an EV cert for generic name that you can put on your website because you want to have a green address bar on your website for whatever reason. But it isn't the name of any kind of high value spoofing target.

• 

  Jason Soroko

  That's probably the most important point, Tim. So, in terms of jurisdictional, you know, Citibank, you know, Kansas is there different state-based jurisdictional issues that, that might - -

• 

  Tim Callan

  You know they didn't get into that in the research. So, the research says that the - - from what they can tell the countries for which this is available are the US and UK. They also say that it appears that this is really coming from one provider. So, it looks like there is one - I don't want to say person - but one criminal enterprise that is in the business of offering these certs. So, it's not like this is widespread. And it looks like they're doing it. US/UK real specifically. There also isn't any information on how purchased these really are. Right? That's not another thing that they felt that they could offer as information, which is, is this a, you know, are we the only people who've ever bought one? Was someone real excited because they actually sold one or is this going on a lot, right? There isn't really anything to answer that question. Um, you know, in general at a higher level, you’re talking about the name collision situation, the name collision problem and the name collision problem is a bigger society, societal matter, that needs to be worked out. So, you know, very famously, a couple years ago somebody acquired an EV cert for Stripe, Incorporated in, Kentucky - I think it was Kentucky - And, turned around and said, ah, I got an EV cert for Stripe. Look what I can do. I can spoof blah, blah, blah, blah, blah. Well, no, you got an EV cert for Stripe, Incorporated in Kentucky and we all know who you were and if you started to use that to pretend to be Stripe, then it would have been easy to know who to arrest. So, you know, name collisions happen. If I open Tim's Carwash in California and somebody else opens Tim's Carwash in Florida and we're both named Tim, that isn't necessarily wrong or untoward and more importantly, that is a practice that we've had for thousands of years, right? How many restaurants in the world have the same name? And so, we can't - - society isn’t at a place where we are able to turn around and enforce unique names. So, what we wind up doing is there's a lot of sort of trademark law around this and it has to do with market confusion and all sorts of things like that and that’s how it's really resolved in the real world. And what we do in the world of public CAs is we reflect what's in the real world. So, we have to faithfully reflect the way that the real legal mechanisms of naming operate and that's how they operate.

• 

  Jason Soroko

  Thanks, Tim. That's really interesting. I'm just trying to think right now, as a bad guy, why I would use this? It would have to be some very targeted attack that would pay off. You know, most of the attacks that we're seeing right now are about, you know, DV certificates tied to domains that last minutes.

• 

  Tim Callan

  Right. Absolutely.

• 

  Jason Soroko

  That seems to be the trend. So, you know, glad to see the research, but I'm just, you know, if I'm a bad guy, that's a lot of resource for something I'm going to burn quickly.

• 

  Tim Callan

  It seems to be a very kind of - - you got to imagine it's a very niche, very corner case kind of thing, which is why I have to wonder how many of these they're really obtaining and selling? Because exactly right, right. The, the massive phishing attack, right, more than 50% of phishing sites have SSL certs on it and it's probably much higher than that because of what Google and Chrome did with the not secure messages. Right? So, the math - - the classic kind of script kitty phishing is what you just said. I put up a site, it's dead in less than a day, it's super cheap to do and it's cheap enough to do that it's an economically viable alternative. Well, I can't be spending no thousand bucks on a cert for a classic crappy little phishing site that's going to be down in six hours. Like that is a fantastic way to go out of business. And if we want to stop the practice of phishing, let’s have every phisher go get those certs.

  And so, you know, in reality, this would have to be a very unusual use case where this thing was being used, especially, again, since I can't go get a cert for, you know, a high value, high visibility target, since I can't necessarily go get a cert for Citibank, you got to say, well, okay, what is that scenario where it's important to have the green address bar, but it doesn't matter what it's called and it's worth that investment? I don't know it’s kind of tough.

• 

  Jason Soroko

  Yeah, Tim. I think EV certificates and EV validation is still doing its job here because it really does show how limited the attack surfaces. And it wasn't that long ago we were talking about research which was actually focused on taking a look at what type kinds of certificates were used in phishing attacks. EV was - - it wasn't non-existent but pretty close.

• 

  Tim Callan

  Yeah. A few people have taken cuts at this a few different ways and that's exactly what you see. I mean, the numbers based on the research set and the kind of attack, the numbers go from zero to damn near zero and that's the reason why. Like, it’s really not worth it. It's too slow and it's too difficult and the economics of most phishing and most malware distribution is about operating on the cheap and they're not operating on the cheap if they're going in there creating custom business names, you know, and that's another important thing, too, that was sort of missed in the whole discussion around Stripe. Which was, yeah, okay, you had some discretionary income, you know, you are a middle-class person or better from the United States and you can turn around and you can blow a hundred bucks on a business identity for purposes of trying to figure out if you can get an EV cert for Stripe and blow a few hundred bucks on a EV cert, you know, you're out of pocket $300/$400 bucks and you go, okay, well, it was a lark I don’t really care. Alright, great. But if you are a production script kitty operating out of Indonesia, you do not have $300 to waste. And so, that takes a whole giant category of attack out of consideration for EV certs even with those kinds of collisions we talked about and this idea of creating your own business and all that.

• 

  Jason Soroko

  Well, Tim, after listening to you and thank you so much for sharing all that, I think that is my conclusion as well. I think this is - - whatever this is going to be used for is very niche and, I think that the concept of EV still holds. The fact that you can start up a business and get an EV certificate well, that shouldn't be a surprise to anybody.

• 

  Tim Callan

  Yeah. So, I'm going to just last - - throw out a little PSA here which is Dr. Maimon, again, sorry if I'm mutilating your name, if you want to come on and share any details on this with us, you know, reach out to me directly. We'd love to have you. Maybe there's things you know that we don't, or maybe you can answer our questions or maybe we could talk about your methodology. All of those would be really interesting things. We'd love to have you on, but I just wanted to cover this research while it was timely since you did present at RSA. And with that, I want to say thank you, Jay. As always, it's fun talking to you.

• 

  Jason Soroko

  Thank you, Tim.

• 

  Tim Callan

  Thank you, Listeners and this has been Root Causes.