SSL certificates are supposed to act as certification that a website is safe, secure and controlled by legitimate operators. However, a new study has uncovered thriving marketplaces for cybercriminals to buy and sell SSL certificates, which casts doubt on the level of protection that SSL offers.

SSL (Secure Sockets Layer) certificates provide a secure channel between two machines connected to the internet, which is most commonly used to allow secure communication between a web server and a web browser. Websites with a secure connection will display a lock and start with HTTPS. Unsecured websites will display a “Not Secure” warning, which is usually a good sign of a vulnerable or untrustworthy website.

In order to create one, an SSL certificate must be digitally signed by an organisation, which verifies its authenticity. This tells users that it is safe to enter sensitive information such as credit card details. However, this may no longer be enough to provide users with the security needed to protect against cybercrime.

SSL certificates for sale on the dark web

Sponsored by Venafi, a leader in providing machine identity protection, researchers from the Evidence-based Cybersecurity Research Group, Georgia State University and University of Surrey found five marketplaces on the Tor network that offered regular supplies of SSL certificates. With this, cybercriminals could spoof legitimate websites, steal sensitive data, spread malware and eavesdrop on users.

On one marketplace, a search for SSL certificates provided more than 2,900 results, far more than similar searches for ransomware (512 results), and zero-day exploits (160).

At least one seller was offering certificates from reputable certificate authorities, which came complete with forged company documentation that would allow the buyer to pose as a legitimate, trusted company based in the United States or United Kingdom.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

SSL certificates were available to purchase for just $260, with prices increasing into the thousands depending on the type of certificate up for sale. Some sellers were found to be including these certificates bundled with web design services which offered to create ecommerce stores “for your frauding escapades” that are so believable that “even you won’t notice it’s a con-site”.

“This study found clear evidence of the rampant sale of TLS [Transport Layer Security] certificates on the dark web,” Kevin Bocek, vice president of security and threat intelligence for Venafi, said. “TSL certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits — just like bots, ransomware and spyware.”

“There is a lot more research to do in this area, but every organisation should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponised and sold as commodities to cybercriminals.”


Read more: Data breach incidents remain high as two thirds of companies unprepared