Appendix 'New Phish on the Block'

List of implemented features. Multiple implementations of the same base feature are grouped. Features marked with an an asterisk are proposed by us.
Feature name Description Number of Features
duration_valid Duration of the certificate's validity 1
download_x Difference between date of download and date of validity start and end, respectively 2
issuerCn_issuerO_x Similarity of IssuerCN and OrganizationName calculated by Equality, Smith-Waterman-Algorithm, and substring search 3
issuerO_issuerOu_x Difference of OrganizationName and OrganizationUnitName calculated by Smith-Waterman-Algorithm and substring search 2
domain_subjectCn_x Similarity of domain and SubjectCN calculated by Equality, Smith-Waterman-Algorithm, Levenshtein distance, and substring search 4
issuerCn_subjectCn_x Similarity of IssuerCN and SubjectCN calculated by Equality, Smith-Waterman-Algorithm, Levenshtein distance, and substring search 4
issuerCN_domain_x Similarity of IssuerCN and domain calculated by Equality and substring search 2
isTrustedCa Checks if the IssuerCN is in the list of trusted certificate authorities provided by Mozilla's Included CA Certificates 1
isHighlyTrusted Checks if the Strings 'Thawte' or 'Verisign' are substrings of the IssuerCN 1
isProhibited_x Checks for invalid values in IssuerCN and SubjectCN 2
check_issuerUS Check if the Issuer CountryName is the United States (US) 1
length_certSerial Length of the serial number 1
counter_extensions Counts the number of used extensions in the certificate 1
check_publicKeySize Size of the public key 1
cryptographic_algo Checks if secure algorithms are used 1
version Checks if certificate is of version 3 1
check_x Checks if the fields State, Locality, and Country are filled for SubjectCN and IssuerCN. Further it checks if authorityKeyId, keyUsage, extendedKU, certPolicies, subjectAltName, issuerAltName, basicConstraints, CRLDistPoints, freshestCRL, and authorityInfoAc are set. 16
check_xCN Checks if the fields SubjectCN and IssuerCN exist 2
check_x_com Checks if IssuerCN or SubjectCN contains a .com domain 2
xCN_only Checks if only IssuerCN or SubjectCN is filled 2
xON Checks if the field OrganizationName is filled for SubjectCN or IssuerCN 2
number_x Counts the number of hyphens, digits, and numbers in the domain name 3
topLevelDomain Calculates the Index of the top-level domain 1
*isWildcard Checks if a wildcard SubjectCN is used 1
*issuer_meanValue Counts the relative frequency of the used IssuerCN 1
*lets_encrypt_issuerCn Checks if issued by Let's Encrypt 1
*cpanel_issuerCn Checks if issued by cPanel 1
*check_ellipticCurve Check if elliptic-curves cryptography is used 1