Following the recent rise in phishing attacks, five certificate authorities (CAs) from CASC developed the London Protocol to reinforce the distinction between Identity Websites and websites encrypted by domain validated (DV) certificates, which lack organization identity.
Participating CAs include Comodo CA, Entrust Datacard, GlobalSign, GoDaddy and Trustwave.
The London Protocol will be implemented in three phases over a 10-month period:
“At its core, the London Protocol is designed to get back to the root of what EV and OV certificates were created for – providing online consumers better trust and assurance," said Tony Perez, head of security products at GoDaddy.
Once the third phase of the Protocol is complete, the result of the London Protocol will be released to improve processes, maintain the integrity of authentic websites and increase user awareness, particularly when it comes to identifying an authentic website from a phishing attack.
“While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates,” said Christian Simko, vice president of marketing, Americas and EMEA, at GlobalSign.
Although affordable and often automatic, issuing DV certificates does not require CAs to verify the organization identity. Many DV certificates are issued anonymously without legitimate contact information making it easy for phishers to get them for fraudulent purposes.
“Security is best handled through layers, no single layer is 100 percent impenetrable,” said Bill Holtz, CEO at Comodo CA.
Conversely, before an OV or EV certificate can be issued, CAs are required to verify the organization information using verifiable documents, such as a government-issued business license, providing an additional layer of validation to the process.
“Based on our research, we found that anonymity on the internet breeds nefarious activity,” said Chris Bailey, VP of strategy and business development for certificate services at Entrust Datacard. “We believe the internet will be safer for users if the sites they are visiting are organizationally identified.”
To improve internet security and awareness of these high-assurance certificates, participating CAs, will collaborate on the London Protocol to find best security practices for identity assurance and minimize phishing on identity websites.
“As cybercriminals continue to become more adept at bypassing security controls protecting website integrity, identity-based certificates will be crucial for safer online experiences,” said Robert J. McCullen, CEO of compliance at Trustwave.
For more information about CASC and its members, visit: https://casecurity.org/.
About the CASCThe Certificate Authority Security Council is comprised of leading global Certificate Authorities that are committed to the exploration and promotion of best practices that advance trusted SSL deployment and CA operations as well as the security of the internet in general. While not a standards-setting organization, the CASC works collaboratively to improve understanding of critical policies and their potential impact on the internet infrastructure. More information is available at https://casecurity.org.