How Is the Forged Certificates in the Wild: Practice on Large-Scale SSL Usage Measurement and Analysis

Abstract

Forged certificate is a prominent issue in the real world deployment of SSL/TLS - the most widely used encryption protocols for Internet security, which is typically used in man-in-the-middle (MITM) attacks, proxies, anonymous or malicious services, personal or temporary services, etc. It wrecks the SSL encryption, leading to privacy leakage and severe security risks. In this paper, we study forged certificates in the wild based on a long term large scale passive measurement. With the combination of certificate transparency (CT) logs and our measurement results, nearly 3 million forged certificates against the Alexa Top 10K sites are identified and studied. Our analysis reveals the causes and preference of forged certificates, as well as several significant differences from the benign ones. Finally, we discover several IP addresses used for MITM attacks by forged certificate tracing and deep behavior analysis. We believe our study can definitely contribute to research on SSL/TLS security as well as real world protocol usage.