Detecting Certificate Misissue via CT Logs
Certificate Transparency (CT) is an open framework that provides visibility of newly issued SSL/TLS certificates by enforcing Certificate Authorities (CAs) to log every certificate they issue in public, tamper-proof, append-only logs. This project aimed at exploring the viability of using CT Log entries as the sole data source to detect phishing websites certificates. The implemented system analyses certificates submitted to the Logs to build a machine learning-based classifier that predicts the phishing likelihood of newly issued certificates. The system uses features directly extracted from CT log data to successfully classify certificates into one of five different incremental certificate risk labels that range from legitimate to highly suspicious. Evaluation results demonstrate the effectiveness of the approach, with a success rate of over 90%. Results confirmed that CT is indeed a valuable source of data that can be machine-processed to mount automated alert systems. By relying solely on CT Log data, the system can deliver results in almost real-time, significantly reducing the time to detect phishing websites. The project resulted in a scientific paper accepted at the 15th EAI International Conference on Security and Privacy in Communication Networks.