Can today’s data security technologies protect us from the phishing attacks? Is there an ultimate way to combat phishing once and for all? Five leading certificate assurance (CA) companies have joined their efforts in an attempt to find the answer to these questions. Entrust Datacard, Comodo, GoDaddy, Trustwave and GlobalSign were the first CAs to join the London protocol, an interesting initiative meant to improve website identity certificates and address the problem of phishing.
What’s the London Protocol?
The launch of the London protocol was announced at the 2018 Certificate Authority/Browser (CAB) Forum in London. The initiative aims to understand the ways of SSL/TLS certificate misuse and whether there’s anything the CAs can do to reduce the risk of phishing attacks. The protocol is mainly focused on how applicants obtain SSL/TLS certificates for their websites.
Broadly speaking, all SSL/TLS certificates can be split into three large groups:
- Organization Validated (OV)
- Extended Validation (EV)
- Domain Validated (DV)
In the case of the first two groups in this list, CAs verify the organization information by requesting verifiable documents from a website owner.
DV certificates require the least validation and are the easiest to attain. CAs usually don’t verify the identity of an organization before issuing a DV certificate to it and don’t have any legitimate contact information of the website owner. The DV certificates are issued automatically upon an applicant proof of some control over a DNS domain (email, records or web hosting account).
Such anonymity makes it much easier for the phishers to launch more new websites with DV certificates and use these websites for fraudulent purposes.
Does Less Anonymity Mean Fewer Phishing Attacks?
Reducing phishing on the identity debsites is one of the key missions of the London protocol. According to a report by HashedOut, between January 2016 and March 2017, Let’s Encrypt, a certificate assurance company, issued more than 15 thousands of SSL certificates with the word “PayPal.” There’s a suggestion that the vast majority of these certificates was obtained to be used on fraudulent websites.
This number shows just how much of a problem the lack of identity control is when it comes to issuing SSL/TLS certificates.
On the other hand, a research conducted by Comodo and Entrust Datacard shows that among all phishing websites encrypted with a trusted SSL/TLS certificate, 99.82 percent have a DV certificate. So the verified identity of the owner is an important indicator of a website safety. This is exactly what the London protocol focuses on.
The initiators of the London protocol want to improve the distinction between the so-called identity websites (the ones with OV and EV certificates) and the websites with DV certificates. However, according to Chris Bailey from Entrust Datacard, they aren’t going to change the way different types of SSL/TLS certificates are shown in web browsers. The main goal of this initiative is to make sure that the identity of the website owner showcased in the certificates can be relied upon.
Stages of the London Protocol
The London protocol is a multi-staged initiative that’s supposed to be implemented within a 10-month period, starting from June 2018. Here are the three steps the document suggest every participating CA should do to reduce the level of phishing activity:
- Monitor – Proactive monitoring of all phishing reports for websites certified with their OV and EV is a must for every CA.
- React – CAs should help their customers prevent phishing activity. If the phishing content was found on a website of their customer, CAs should notify the website owner about the fact and help them mitigate the attack.
- Share – All participants should contribute to a common database which would include data about the websites with a phishing content.
The process of the London protocol implementation consists of four stages:
- June to August 2018 — The development of the London protocol details by the CAs participating in the initiative.
- September to November 2018 — The participants of the initiative start applying the concepts of the protocol to the identity websites of their customers and provide feedback on the results to share it with other CAs.
- December 2018 to February 2019 — The CAs involved in the initiative update the protocol policies to create an ultimate guideline for all CAs to follow on a voluntary basis.
- March 2019 forward — The participants of the protocol are expected to provide further feedback and suggest possible improvements of the baseline requirements if necessary.
It’s noteworthy that the initiative suggests sharing only ad hoc data on the websites with a phishing content. CAs will be able to use this data when issuing new OV and EV certificates to their customers’ websites. Improved identity assurance also can be helpful in solving other security issues, including the use of gathered data by browser filters and anti-phishing engines.
The London protocol shows that the industry leaders are willing to work as one team to improve identity assurance and increase the level of cybersecurity for both their commercial customers and regular website users. And even though it’s hard to say whether implementing this protocol will be enough to solve the problem of phishing altogether, it’s a nice start.
Sharing data about phishing activity can help the CAs understand both the nature of phishing attacks and the motives of the people behind them. But since the participation in the London protocol is 100 percent voluntary, many CAs can either refuse to join the initiative altogether or choose not to adopt all of the recommended practices that will be released in the baseline requirements after the third stage is over.