Academic Study Exposes Booming SSL/TLS Certificate Marketplaces on the Dark Web

Venafi sponsors first ever study into availability of TLS machine
identities on the dark net

SAN FRANCISCO–(BUSINESS WIRE)–lt;a href=”” target=”_blank”gt;#Certificateslt;/agt;–RSA Conference Booth 6359 — Venafi®,
the leading provider of machine identity protection, today announced the
first set of findings from an academic study of the availability of
SSL/TLS certificates on the dark web, and their role in the cybercrime
economy. The research, sponsored by Venafi and undertaken by researchers
at the Evidence-based
Cybersecurity Research Group
at the Andrew
Young School of Policy Studies at Georgia State University
and the University
of Surrey
, uncovered thriving marketplaces for TLS certificates sold
individually and packaged with a wide range of crimeware. Together these
services deliver machine-identities-as-a-service to cybercriminals who
wish to spoof websites, eavesdrop on encrypted traffic, perform
man-in-the-middle attacks and steal sensitive data.

“One very interesting aspect of this research was seeing TLS
certificates packaged with wrap-around services – such as web design
services – in order to give attackers immediate access to high levels of
online credibility and trust,” said security researcher and report
author David Maimon, associate professor and director of the
Evidence-based Cybersecurity Research Group. “It was surprising to
discover how easy and inexpensive it is to acquire extended validation
certificates, along with all the documentation needed to create very
credible shell companies without any verification information.”

Key study findings include:

  • Five of the Tor network markets observed, offer a steady supply of
    SSL/TLS certificates, along with a range of related services and
  • Prices for certificates vary from $260 to $1,600, depending on the
    type of certificate offered and the scope of additional services.
  • Researchers found extended validation certificates packaged with
    services to support malicious websites such as Google-indexed “aged”
    domains, after-sale support, web design services, and integration with
    a range of payment processors – including Stripe, PayPal and Square.
  • At least one vendor on BlockBooth promises to issue certificates from
    reputable Certificate Authorities along with forged company
    documentation – including DUNS numbers. This package of products and
    services allows attackers to credibly present themselves as a trusted
    U.S. or U.K. company for less than $2,000.

One representative search of these five marketplaces uncovered 2,943
mentions for “SSL” and 75 for “TLS.” In comparison, there were just 531
mentions for “ransomware” and 161 for “zero days.” It was also evident
that some marketplaces – such as Dream Market – appear to specialize in
the sale of TLS certificates, effectively providing
machine-identity-as-a-service products. In addition, researchers found
that certificates are often packaged with other crimeware, including

“This study found clear evidence of the rampant sale of TLS certificates
on the dark net,” said Kevin Bocek, vice president of security and
threat intelligence for Venafi. “TLS certificates that act as trusted
machine identities are clearly a key part of cybercriminal toolkits –
just like bots, ransomware and spyware. There is a lot more research to
do in this area, but every organization should be concerned that the
certificates used to establish and maintain trust and privacy on the
internet are being weaponized and sold as commodities to cybercriminals.”

To download a copy of the report, please visit:

Research Design and Methodology

To accomplish the research objectives, researchers dove into online
markets and hacker forums that were active on the Tor network, I2P and
the Freenet from October 2018 to January 2019 and searched for “for
sale” ads of compromised, fake and forged TLS certificates. During this
period, the research team conducted 16 weekly searches, discovering
nearly 60 relevant online markets webpage on Tor and 17 webpages on I2P.
Researchers reviewed the listings in detail and, in some cases, engaged
in conversation with sellers to gain a better understanding of the goods
and services being sold.

About Venafi

Venafi is the cybersecurity market leader in machine identity
protection, securing machine-to-machine connections and communications.
Venafi protects machine identity types by orchestrating cryptographic
keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi
provides global visibility of machine identities and the risks
associated with them for the extended enterprise – on premises, mobile,
virtual, cloud and IoT – at machine speed and scale. Venafi puts this
intelligence into action with automated remediation that reduces the
security and availability risks connected with weak or compromised
machine identities while safeguarding the flow of information to trusted
machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the
world’s most demanding, security-conscious Global 5000 organizations and
government agencies, including the top five U.S. health insurers; the
top five U.S. airlines; four of the top five U.S., U.K., Australian and
South African banks; and four of the top five U.S. retailers. Venafi is
backed by top-tier investors, including TCV, Foundation Capital, Intel
Capital, QuestMark Partners, Mercato Partners and NextEquity.

For more information, visit:

About the Evidence-based Cybersecurity Research Group at the Andrew
Young School of Policy Studies at Georgia State University

Cyber-dependent crimes have become a major concern for governmental,
commercial, and financial institutions around the globe, as well as for
private individuals who use computer technology and the internet for
leisure, shopping, and work.

Extensive research has examined and proposed ways to prevent the
development of cyber-dependent crimes. However, it is still unclear
whether commonly used interventions can prevent online offenders from
engaging in crimes like hacking, spreading malware, and launching
Distributed Denial of Service attacks.

The Evidence-based Cybersecurity Research Group at the Andrew Young
School of Policy Studies at Georgia State University seeks to produce
empirical evidence and provide systematic reviews of existing empirical
research regarding the potential effect of existing cyber security
policies and tools in preventing the development and progression of
cyber-dependent crimes.

For more information, visit:


Shelley Boose
[email protected]

error: Content is protected !!