Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/23/2018
10:30 AM
Chris Bailey
Chris Bailey
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

London Calling with New Strategies to Stop Ransomware

The new London Protocol from the Certificate Authority Security Council/Browser Forum aims to minimize the possibility of phishing activity on high-value identity websites.

Website security begins with having a confirmed identity of the website owner to prevent phishing attacks. Without it, online users are at a major disadvantage against identity fraudsters with fake domain validation phishing sites that imitate high-value sites to steal passwords and credit card numbers.

The genesis of the London Protocol, an initiative to improve identity assurance and minimize the possibility of phishing activity, rests on data presented by multiple sources indicating that anonymous domain validation SSL/TLS certificates are the principal reason for a recent rise in phishing attacks, along with our collective interest in preserving secure Internet transactions to protect both organizations and the user community who transacts with them.

The London Protocol's primary focus is to improve identity assurance and minimize the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain verified organization identity information (Identity Certificates) to tell users they will be safer at those sites. We chose the name "London Protocol" because we officially announced the agreement at the most recent face-to-face meeting of the Certificate Authority Security Council/Browser Forum in London last month.

The genesis of our action stemmed from a report from HashedOut noting that "between January 1st, 2016 and March 6th, 2017, the Let's Encrypt certificate authority issued a total of 15,270 SSL certificates containing the word 'PayPal.'" These Let's Encrypt certificates were issued to bad actors who used the name "PayPal" in their domains to trick online users into sending their personal data — in other words, to commit identity theft. The certificates issued by Let's Encrypt are solely domain-validated certificates, which means that they can be issued to anonymous websites because issuance is 100% automated.

Identity Certificates: A Brief History
Back in 2001, only OV identity certificates were used to secure websites. For most CAs, obtaining an OV certificate was a detailed process that could take time to complete. At the time, we needed a different kind of certificate for organizations that needed to get certificates faster for encrypted communications on less sensitive websites, which is why I was one of the inventors of Domain Validated (DV) certificates. The intention was to create a digital certificate that could be validated quickly where proof of website ownership was not as important for user security, such as blogs and information pages. We figured that limiting validation steps for DV certificates to proof of domain ownership would be sufficient because it would prevent fraudsters from getting certificates for domains they didn’t own.

Unfortunately, DV certificates are now being used in a way that was never intended, leading to a surge in phishing attacks on fake websites encrypted with DV certificates. Encryption assures that sensitive data is safely communicated to the domain owner. However, the absence of a confirmed organization identity means the data can get transmitted safely to a bad actor trying to steal user information.

To make websites even safer for users, I then joined a small group of co-inventors of the Extended Validation or EV certificate. EV certificates are issued only after a thorough and strict vetting procedure that follow standardized guidelines binding on all CAs. The EV certificates developed by the CA/Browser Forum are displayed in the browser address bar to confirm website identity, tell users who's behind the site, and offer potential recourse for any bad actions.

We tested our hypothesis that users are safer at OV and EV sites by collaborating with ComodoCA, recognized as one of the leaders in DV certificate issuance worldwide. Our research paper, "The Relative Incidence of Phishing among DV, OV and EV Encrypted Websites," shows that over 99.5% of encrypted websites with phishing content use DV certificates, while there is almost no phishing associated with OV and EV websites. The data confirms our hypothesis that OV and EV certificates are safer for users than DV.

But as safe as OV and EV websites are today, we want to make them even safer. This brings us to the London Protocol, under which five CAs from the CA Security Council are cooperating to improve identity assurance and minimize the possibility of phishing activity on identity websites. Each participating CA will work with its OV and EV customers to help them remove any phishing content on their websites to make identity websites even safer for users. This effort will help to counter the surge of DV phishing attacks across major brands and let users feel safer when visiting OV and EV sites.

Read more about the London Protocol's phased approach and hear from the other member certificate authorities.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Chris Bailey joined Entrust Datacard following its acquisition of Trend Micro SSL where he served as the general manager. Prior to that, Bailey served as the CEO and co-founder of the certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
rmerkle
50%
50%
rmerkle,
User Rank: Apprentice
7/26/2018 | 12:31:22 PM
General User Education
Now that you hvae created three levels of domain certificates you need to provide a simple way for the general public to tell the which is in use at a site they go to and its relative level of security. Only then can the puboic begin to force web sites to use the safest certificate format, which is probabl the most effective say to get sites to improve their choicese in whcih certifcate to use. 

With different costs of use, even if only in the time to apply for a certifictate, expect web sites to favor the simplest and lowest cost certificate they can use, which will be the weakest. Therefore to be truly effective and have the greatest impact on security, you need to educate hte general public about them and how to tell them apart. When will such a program begin? Do you have good marketers prparing it? 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.