CASC Announces Launch of London Protocol to Improve Identity Assurance and Minimize Phishing on Identity Websites
- 28.06.2018 08:30 am
The Certificate Authority Security Council (CASC), an advocacy group committed to the advancement of the security of websites and online transactions, announced at the CA/Browser Forum event in London the launch of the London Protocol – an initiative to improve identity assurance and minimize the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain organization identity information (Identity Certificates).
Following the recent rise in phishing attacks, five certificate authorities (CAs) from CASC developed the London Protocol to reinforce the distinction between Identity Websites and websites encrypted by domain validated (DV) certificates, which lack organization identity.
Participating CAs include Comodo CA, Entrust Datacard, GlobalSign, GoDaddy and Trustwave.
The London Protocol will be implemented in three phases over a 10-month period:
- Phase 1 (June - August 2018): Participating CAs develop Protocol details and research feasibility of implementation and may begin to implement some basic procedures.
- Phase 2 (September - November 2018): Participating CAs apply Protocol concepts to their own customers’ Identity Websites according to their own policies and procedures, share feedback with other participating CAs, refine Protocol as warranted by experience.
- Phase 3 (December 2018 - February 2019): Participating CAs update Protocol policies and procedures and approve plan for uniform policies and procedures to be applied by all participating CAs on a voluntary basis.
- Phase 4 (March 2019) Participating CAs forward report and recommendations to CA/Browser Forum for possible changes to Baseline Requirements.
“At its core, the London Protocol is designed to get back to the root of what EV and OV certificates were created for – providing online consumers better trust and assurance," said Tony Perez, head of security products at GoDaddy.
Once the third phase of the Protocol is complete, the result of the London Protocol will be released to improve processes, maintain the integrity of authentic websites and increase user awareness, particularly when it comes to identifying an authentic website from a phishing attack.
“While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates,” said Christian Simko, vice president of marketing, Americas and EMEA, at GlobalSign.
Although affordable and often automatic, issuing DV certificates does not require CAs to verify the organization identity. Many DV certificates are issued anonymously without legitimate contact information making it easy for phishers to get them for fraudulent purposes.
“Security is best handled through layers, no single layer is 100 percent impenetrable,” said Bill Holtz, CEO at Comodo CA.
Conversely, before an OV or EV certificate can be issued, CAs are required to verify the organization information using verifiable documents, such as a government-issued business license, providing an additional layer of validation to the process.
“Based on our research, we found that anonymity on the internet breeds nefarious activity,” said Chris Bailey, VP of strategy and business development for certificate services at Entrust Datacard. “We believe the internet will be safer for users if the sites they are visiting are organizationally identified.”
To improve internet security and awareness of these high-assurance certificates, participating CAs, will collaborate on the London Protocol to find best security practices for identity assurance and minimize phishing on identity websites.
“As cybercriminals continue to become more adept at bypassing security controls protecting website integrity, identity-based certificates will be crucial for safer online experiences,” said Robert J. McCullen, CEO of compliance at Trustwave.