Endpoint

7/23/2018
10:30 AM
Chris Bailey
Chris Bailey
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

London Calling with New Strategies to Stop Ransomware

The new London Protocol from the Certificate Authority Security Council/Browser Forum aims to minimize the possibility of phishing activity on high-value identity websites.

Website security begins with having a confirmed identity of the website owner to prevent phishing attacks. Without it, online users are at a major disadvantage against identity fraudsters with fake domain validation phishing sites that imitate high-value sites to steal passwords and credit card numbers.

The genesis of the London Protocol, an initiative to improve identity assurance and minimize the possibility of phishing activity, rests on data presented by multiple sources indicating that anonymous domain validation SSL/TLS certificates are the principal reason for a recent rise in phishing attacks, along with our collective interest in preserving secure Internet transactions to protect both organizations and the user community who transacts with them.

The London Protocol's primary focus is to improve identity assurance and minimize the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain verified organization identity information (Identity Certificates) to tell users they will be safer at those sites. We chose the name "London Protocol" because we officially announced the agreement at the most recent face-to-face meeting of the Certificate Authority Security Council/Browser Forum in London last month.

The genesis of our action stemmed from a report from HashedOut noting that "between January 1st, 2016 and March 6th, 2017, the Let's Encrypt certificate authority issued a total of 15,270 SSL certificates containing the word 'PayPal.'" These Let's Encrypt certificates were issued to bad actors who used the name "PayPal" in their domains to trick online users into sending their personal data — in other words, to commit identity theft. The certificates issued by Let's Encrypt are solely domain-validated certificates, which means that they can be issued to anonymous websites because issuance is 100% automated.

Identity Certificates: A Brief History
Back in 2001, only OV identity certificates were used to secure websites. For most CAs, obtaining an OV certificate was a detailed process that could take time to complete. At the time, we needed a different kind of certificate for organizations that needed to get certificates faster for encrypted communications on less sensitive websites, which is why I was one of the inventors of Domain Validated (DV) certificates. The intention was to create a digital certificate that could be validated quickly where proof of website ownership was not as important for user security, such as blogs and information pages. We figured that limiting validation steps for DV certificates to proof of domain ownership would be sufficient because it would prevent fraudsters from getting certificates for domains they didn’t own.

Unfortunately, DV certificates are now being used in a way that was never intended, leading to a surge in phishing attacks on fake websites encrypted with DV certificates. Encryption assures that sensitive data is safely communicated to the domain owner. However, the absence of a confirmed organization identity means the data can get transmitted safely to a bad actor trying to steal user information.

To make websites even safer for users, I then joined a small group of co-inventors of the Extended Validation or EV certificate. EV certificates are issued only after a thorough and strict vetting procedure that follow standardized guidelines binding on all CAs. The EV certificates developed by the CA/Browser Forum are displayed in the browser address bar to confirm website identity, tell users who's behind the site, and offer potential recourse for any bad actions.

We tested our hypothesis that users are safer at OV and EV sites by collaborating with ComodoCA, recognized as one of the leaders in DV certificate issuance worldwide. Our research paper, "The Relative Incidence of Phishing among DV, OV and EV Encrypted Websites," shows that over 99.5% of encrypted websites with phishing content use DV certificates, while there is almost no phishing associated with OV and EV websites. The data confirms our hypothesis that OV and EV certificates are safer for users than DV.

But as safe as OV and EV websites are today, we want to make them even safer. This brings us to the London Protocol, under which five CAs from the CA Security Council are cooperating to improve identity assurance and minimize the possibility of phishing activity on identity websites. Each participating CA will work with its OV and EV customers to help them remove any phishing content on their websites to make identity websites even safer for users. This effort will help to counter the surge of DV phishing attacks across major brands and let users feel safer when visiting OV and EV sites.

Read more about the London Protocol's phased approach and hear from the other member certificate authorities.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Chris Bailey joined Entrust Datacard following its acquisition of Trend Micro SSL where he served as the general manager. Prior to that, Bailey served as the CEO and co-founder of the certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rmerkle
50%
50%
rmerkle,
User Rank: Apprentice
7/26/2018 | 12:31:22 PM
General User Education
Now that you hvae created three levels of domain certificates you need to provide a simple way for the general public to tell the which is in use at a site they go to and its relative level of security. Only then can the puboic begin to force web sites to use the safest certificate format, which is probabl the most effective say to get sites to improve their choicese in whcih certifcate to use. 

With different costs of use, even if only in the time to apply for a certifictate, expect web sites to favor the simplest and lowest cost certificate they can use, which will be the weakest. Therefore to be truly effective and have the greatest impact on security, you need to educate hte general public about them and how to tell them apart. When will such a program begin? Do you have good marketers prparing it? 
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.