Can a TLS certificate be phishy?

Abstract

This paper investigates the potential of using digital certificates for the detection of phishing domains. This i motivated by phishing domains that have started to abuse the (erroneous) trust of the public in browser padloc symbols, and by the large-scale adoption of the Certificate Transparency (CT) framework. This publicl accessible evidence trail of Transport Layer Security (TLS) certificates has made the TLS landscape mor transparent than ever. By comparing samples of phishing, popular benign, and non-popular benign domains we provide insight into the TLS certificates issuance behavior for phishing domains, focusing on the selectio of the certificate authority, the validation level of the certificates, and the phenomenon of certificate sharin among phishing domains. Our results show that phishing domains gravitate to a relatively small selection o certificate authorities, and disproportionally to cPanel, and tend to rely on certificates with a low, and cheap validation level. Additionally, we demonstrate that the vast majority of certificates issued for phishing domain cover more than only phishing domains. These results suggest that a more pro-active role of CAs and puttin more emphasis on certificate revocation can have a crucial impact in the defense against phishing attacks.