Certificate Transparency (CT) is an open source framework for monitoring and detecting forged or fraudulent SSL certificates. Users’ browsers are often able to detect such forged SSL certificates. However, Certificate Authorities (CAs) typically issue trusted certificates to all newly registered domains that are invalid. The intention behind some of these newly registered entities may be to establish legitimate services or pose as brands to facilitate cyberattacks against organizations A certification system without a CA puts many services at risk largely in the digital world.

Today’s post will explore how CT logs can be used to determine whether a site is malicious or not. Several online tools and manual processes are available for verifying and validating registered certificates. This post will use the CENSYS.IO tool for analysis.

Simulation Domain


This domain is similar to the original Microsoft brand. It uses Punycode to achieve this match. We used DNS twister, an effective tool for security teams, to identify domains designed to masquerade as legitimate organizations. DNS twister enables phishing threats to be effectively addressed by incident responders and security department analysts.



What are Punycode Domains?


Some domain registrars allow domains to be registered using alternative Unicode characters instead of Latin characters. For example, a domain like microsoft[.]com can be entered with the letter "i" and replaced with Unicode characters for the same. The author would then use Punycode to store this domain internally, using the encoding xn--mcrosoft-j75d[.]com. All modern web browsers now support and accept Punycode encodings. As a result, a domain registered in this way will show up as a root word in the web address bar, like microsoft[.]com, although it is technically a different domain name registered under Punycode . . . . However, not all domain extensions fully support Punycode registration. Potential registrants and the registrar should investigate whether the desired domain can be registered in this manner


Analysis of Domain Certificates Utilizing Certificate Transparency Monitoring


We recommend verifying the certificate information through the censys.io database. Certificate Transparency verification is not limited to specific types of domains - any domain can be checked on censys.io to validate the SSL certificate and detect possible phishing activity.


The image above shows the domain xn--mcrosoft-j75d[.]com submitted for search in Censys. This domain is the punycode representation of microsoft[.]com.

Note: Some organizations may legitimately use the punycode representation of domains for a number of purposes. Adequate research should be conducted to determine the purpose and application of each particular domain.



The image above shows Cloudflare as a certification authority. However, in some cases, domains with punny codes are redirected back to the original sites. This means that legitimate companies bought such domains in order to prevent further threats.







Incident responders and SOC Analyst can use SSL certificates to compare legitimate websites with potentially phishing websites. By checking the SSL of the original domain and the suspected phishing domain, investigators can gain insight into whether the domain is part of a legitimate business or is attempting to steal user credentials through phishing