The Certificate Authority Security Council (CASC), a consortium committed to advancing the security of websites and online transactions, announced this week at the CA/Browser Forum event it has launched a London Protocol initiative to improve website identity assurance based on the certificates issued by certificate authorities.
Members of the CASC include Comodo CA, Entrust Datacard, GlobalSign, GoDaddy and Trustwave. Over the next 10 months, they will collaboratively implement a common set of protocols designed to minimize phishing activity on websites employing encrypted organization validation (OV) and extended validation (EV) certificates that typically contain organization identity information (Identity Certificates).
Also over the next two months, certificate authorities (CA) pledged to develop protocol details, research the feasibility of implementing that protocol and possibly implement some basic procedures. In the fall, CAs hope to apply the protocol concepts being developed to their own websites.
By February 2019, the participating CAs plan to update the London protocol policies and procedures based on their implementation experience and approve a plan for uniform policies and procedures to be applied voluntarily by all participating CAs. By March 2019, participating CAs plan to forward a report and recommendations to the CA/Browser Forum for possible changes to baseline requirements.
Chris Bailey, vice president of strategy and business development for certificate services at Entrust Datacard, said use of certificates based on the London Protocol initially would be voluntary. But the CASC expects there to be a groundswell of support. A marked rise in phishing attacks involving fake certificate is compelling CAs to act in concert to preserve the integrity of legitimate websites, he said.
With the London Protocol, the CASC is addressing the problem of rogue CAs that issue free certificates or only domain-validated certificates, which create the illusion that a user is communicating with a valid website. On the contrary: The certificate only validates that the communication between the browser used by the user and the website is encrypted. The website still may be a clone of a legitimate website, and can maliciously collect data such as credit card numbers or be employed to distribute malware. The CASC is ultimately working toward creating a protocol that would eliminate rogue CAs and encourage website owners to acquire either OV or EV certificates.
Phishing attacks launched via email that often contain links to malicious websites continue to be most common threat vector employed by cybercriminals. Organizations of all sizes, therefore, have a vested interest in not only making sure that certificates being issued to websites are legitimate, but that end users can recognize malicious sites using free or only domain-validated certificates. Naturally, that’s a lot to ask of every user. But it does create an opportunity for cybersecurity professionals to block access to websites that don’t have OV or EV certificates.
Of course, there may never be such a thing as perfect security on the web. But making sure the certificates being issued to websites serve their intended purpose represents as a good place to start as any.