Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #16

Harvesting SSL Certificate Data to Identify Web-Fraud

Mishari Al Mishari, Emiliano De Cristofaro, Karim Eldefrawy, and Gene Tsudik

2012 · International Journal of Network Security, Volume 14, Number 6

  • Applied
  • AI for security
  • algorithm

What does the paper try to establish?

Do HTTPS certificate fields contain enough stable signal to distinguish popular legitimate domains from phishing, typosquatting, and less-vetted domains without observing a user's browsing history or page content?

What is the proposed answer?

The study finds strong distributional differences across certificate datasets and trains classical machine-learning classifiers on derived X.509 features. Ten-fold cross-validation reports high positive-class recall and precision in the sampled data, but lower negative recall in some formulations; the authors therefore position the classifier as one input to a broader anti-fraud system rather than a standalone detector.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence Medium

The study uses large observational datasets, explicit features, multiple classifiers, ten-fold validation, and sensitivity checks. Labels are proxy-based, the sample is historically bounded, negative-class recall is weak in some formulations, and no data/code or modern independent replication was located.

Dataset sizes and unique-certificate counts Classifier families, metrics, and ten-fold validation Primary classifier results Dataset-size and issuer-only feature experiments Deployment limitations, adversarial adaptation, and integration
Auditability High

The complete journal version is checked into the site with source route, page count, and SHA-256 identity. Dataset construction, features, metrics, and tables are inspectable, though the underlying data and code are unavailable.

Dataset sizes and unique-certificate counts Primary classifier results Deployment limitations, adversarial adaptation, and integration
Production provenance Medium

Named authorship, journal and preprint records, and an author-hosted journal PDF establish baseline provenance. Contributor roles, dataset snapshots, code versions, and revision history are not documented.

Problem and certificate-only detection proposal Official journal record
External scrutiny Medium

Journal publication and follow-on citations provide external attention, but review reports, corrections, data reuse, and independent classifier reproduction were not audited.

Official journal record Citation-count snapshot
Reception High

ResearchGate displayed 21 citations on 2026-07-11, exceeding the rubric's 11-citation high threshold. The count is index-specific and citing contexts were not reviewed.

Citation-count snapshot
Contribution significance Medium

The work presents an early, privacy-conscious certificate-based machine-learning detector and a substantive Internet measurement, but its data are historically bounded and the classifier is explicitly not a standalone solution.

Problem and certificate-only detection proposal Primary classifier results Deployment limitations, adversarial adaptation, and integration

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

Certificate-based web-fraud classification

An Internet measurement and machine-learning study using only server X.509 certificate data to flag potentially fraudulent domains.

Problem and certificate-only detection proposal
  1. scope

    Measurement scope

    explicitly scoped

    Certificates were collected in September-October 2009 and March-October 2010 from popular, random .com/.net, phishing, and typosquatting domain lists that responded on HTTPS.

    Collection periods and domain sampling
  2. dataset Four certificate datasets described not released

    The article reports 2,984 Alexa certificates, 22,063 random .com/.net certificates, 5,175 phishing certificates, and 486 typosquatting certificates, with substantial duplicate rates in several sets.

    Dataset sizes and unique-certificate counts
    1. assumption

      Label construction

      operationalized

      Alexa ranking is used as a popular/legitimate proxy, PhishTank supplies phishing domains, and typosquatting candidates are derived from random domains using typo correction plus a parked-domain classifier.

      Collection periods and domain sampling
  3. method

    Certificate feature extraction

    implemented

    The system derives boolean, categorical, and duration features from certificate issuer, subject, host-name similarity, signing, and validity information, including pairwise popularity indicators.

    X.509 feature extraction and distribution analysis
  4. algorithm

    Classifier ensemble comparison

    implemented

    Random Forest, Decision Tree, bagged and boosted trees, and Nearest Neighbor are trained and compared using positive/negative precision and recall under ten-fold cross-validation.

    Classifier families, metrics, and ten-fold validation
  5. empirical evidence

    Phishing versus popular certificates

    cross validated

    Across classifiers, positive recall is about 0.935-0.94 and positive precision about 0.877-0.881, while negative recall is about 0.773-0.780; the asymmetry matters for deployment false positives.

    Primary classifier results
  6. empirical evidence

    Random-or-phishing versus popular certificates

    cross validated

    When random .com/.net and phishing certificates form the positive class, reported positive recall reaches about 0.975 and precision about 0.960, but negative recall remains only about 0.598-0.631.

    Primary classifier results
  7. empirical evidence

    Training-size and feature sensitivity

    sensitivity analysis

    Increasing the phishing training set improves positive precision and recall, and an issuer-only feature set remains informative, supporting—but not proving—some resilience to easily forged subject fields.

    Dataset-size and issuer-only feature experiments
  8. limitation group

    Generalization and adversarial limits

    explicitly reported

    The labels and Internet sample are time- and source-dependent, many fraudulent domains do not use HTTPS, false positives remain, larger geographically diverse datasets are needed, and attackers can imitate forgeable certificate fields.

    Deployment limitations, adversarial adaptation, and integration
  9. scrutiny

    External scrutiny and reception

    journal reviewed

    The work appeared in the International Journal of Network Security and ResearchGate reports 21 citations; this audit did not inspect review reports, citing contexts, or a modern replication.

    Official journal record Citation-count snapshot

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Problem and certificate-only detection proposal Abstract and Section 1, PDF pages 1-2
  2. Collection periods and domain sampling Section 3.1, PDF pages 2-4
  3. Dataset sizes and unique-certificate counts Tables 1-2, PDF page 3
  4. X.509 feature extraction and distribution analysis Section 3.2 and Tables 3-7, PDF pages 4-8
  5. Classifier families, metrics, and ten-fold validation Section 4.1, PDF page 9
  6. Primary classifier results Section 4.2 and Tables 8-9, PDF pages 9-10
  7. Dataset-size and issuer-only feature experiments Sections 4.3-4.4 and Tables 10-11, PDF pages 10-12
  8. Deployment limitations, adversarial adaptation, and integration Section 5, PDF pages 11-12
  9. Conclusions and claimed novelty Section 7, PDF pages 13-14
  10. Official journal record International Journal of Network Security 14(6), pages 324-338
  11. Citation-count snapshot ResearchGate displayed Citations (21), observed 2026-07-11; coverage and version merging may differ from other indexes.