💡This is a reader's perspective on the paper written by Doowon Kim (from the University of Tennessee, Knoxville) and published at the ACM ASIA Conference on Computer and Communications Security 2021.
Brief Description
The authors provide a nice view of the role of certificate authorities in the phishing landscape. They first study how they validate the website to emit certificates, the effectiveness of HTTPS Phishing websites, and the procedures of CAs for emitting and revoking certificates. Also, they mention how they treat reports for phishing websites.
Observations
In Section 1, they mention that of all successful phishing attacks (I also have no idea how they consider one to be successful), 85% are HTTPs Phishing, and the other 15% are HTTP Phishing. That success rate might not mean much if the amount of HTTPS Phishing attacks is also 85%. Later they mention that the amount of HTTPs Phishing is closer to 86%, which basically means that it is worse, isn't it?
Second, why is it good for the CAs to emit certificates to phishing websites? Is it related to the number of emitted phishing websites (That could later increase the evaluation of the company)? Or is it about the price required to evaluate each website for which you are generating the certificate further? It could be a further research GAP.
Another thing I don't agree with the authors is related to the removal of the password field in the Mock Phishing websites. They mention it to be an ethical thing to avoid making regular users to input their information, but they could do it by not storing the information that users put in. If you remove the password field, it will not try to steal the user's password, which would make it different than a phishing website.
Initial Questions
The first thing I asked myself was regarding their URL data source, and whether the phishing websites were required to be live. While I don't know the answer to the second question, they mentioned later that they got those URLs from APWG eCX.
Where do the experiment ideas come from?
I suspect that the inspiration for the paper is based on the curiosity of how malicious websites could be verified, and how the "false" security that Chrome imposes might hurt the users.
What are the interesting ideas/results?
I really like the sequence of experiments on the evaluation of certificate authorities.
Nice idea on the deployment of phishing websites to verify the behavior of CAs
No comments:
Post a Comment