The London Protocol Aims to Expose the Misuse of Machine Identities in Phishing Attacks

According to a document published by the CASC in early June, the London Protocol’s implementation will proceed in four phases. GlobalSign and the others have already begun the first phase, which involves announcing the Protocol, researching its implementation and beginning to enact its basic procedures. Phase Two will begin in September 2018 when participating CAs start to apply the Protocol to their customers’ identity websites. December will mark the beginning of Phase Three when the participating CAs will develop policies and procedures for universal implementation of the Protocol across all CAs. This all culminates with Phase Four in March 2019 when the founding participants are slated to share their findings and recommend possible changes to the Baseline Requirements of the CA/Browser forum.

As the London Protocol gathers steam, organizations should take steps of their own to prevent phishers from misusing their OV and EV web certificates. A crucial part of this process involves gaining complete visibility into their machine identities. Learn how Venafi can help.

Related posts

• PayPal Phishing Fiascos: Protecting Yourself from Fraudulent Certificates
• Reddit Clone Site Uses SSL Certificate to Lure Users into Handing Over Login Credentials
• Preventing Your Webservers from Becoming Phishing Sites – Eliminate Wildcard Certificates

David Bisson

An advocacy group has announced the creation of a new protocol for the purpose of minimizing phishing activity on “identity websites.”

On 27 June, the Certificate Authority Security Council (CASC) unveiled the launch of the London Protocol at a CA/Browser forum event in London. The standard will help further differentiate websites encrypted with organization validated (OV) and extended validation (EV) certificates from websites protected by domain validated (DV) certificates. EV and OV certificates are collectively known as identity certificates because both of these types of machine identities contain organization identity information.

As of this writing, five public certificate authorities (CAs) have agreed to uphold the London Protocol and begin implementing its procedures. These entities are as follows: Comodo CA, Entrust Datacard, GlobalSign, GoDaddy and Trustwave.

Christian Simko, vice president of marketing for the Americas and EMEA at GlobalSign, said the London Protocol is all about maintaining authenticated websites’ integrity while minimizing anonymity online. As quoted in a press release:

“While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates.”

The five participating CAs agreed to voluntarily band together under the London Protocol to contribute to a common database designed to reduce future phishing content on the web. Upon the database’s completion, other CAs can get guidance before issuing new OV and EV certificates. Additionally, the CAs will actively monitor phishing reports for websites encrypted with their OV and EV certificates and work with website owners if phishers hijack their sites.