The Certificate Authority Security Council (CASC) has launched London Protocol to improve identity assurance and minimise phishing on identity websites.
CASC, an advocacy group committed to the advancement of the security of websites and online transactions, launched the initiative at the CA/Browser Forum.
Five certificate authorities (CAs) from CASC developed the London Protocol including include Comodo CA, Entrust Datacard, GlobalSign, GoDaddy and Trustwave.
London Protocol is looking to reinforce the distinction between identity websites and websites encrypted by domain validated (DV) certificates, which lack organisation identity.
The initiative will look to improve identity assurance and minimise the possibility of phishing activity on websites encrypted with organisation validated (OV) and extended validation (EV) certificates, which contain organisation identity information (Identity Certificates).
The London Protocol will be implemented in three phases over a 10-month period, ending in March 2019. Once this is completed, the results will be released to improve processes, maintain the integrity of authentic websites and increase user awareness, particularly when it comes to identifying an authentic website from a phishing attack.
“While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates,” said Christian Simko, vice president of marketing, Americas and EMEA, at GlobalSign.
Issuing DV certificates does not require CAs to verify the organisation identity and many DV certificates are issued anonymously without legitimate contact information making it easy for phishers to get them for fraudulent purposes. Before an OV or EV certificate can be issued, CAs are required to verify the organisation information using verifiable documents, such as a government-issued business license.
“As cybercriminals continue to become more adept at bypassing security controls protecting website integrity, identity-based certificates will be crucial for safer online experiences,” said Robert J. McCullen, CEO of compliance at Trustwave.
Copyright © 2018 RegTech Analyst
Copyright © 2018 RegTech Analyst