Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/23/2018
10:30 AM
Chris Bailey
Chris Bailey
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

London Calling with New Strategies to Stop Ransomware

The new London Protocol from the Certificate Authority Security Council/Browser Forum aims to minimize the possibility of phishing activity on high-value identity websites.

Website security begins with having a confirmed identity of the website owner to prevent phishing attacks. Without it, online users are at a major disadvantage against identity fraudsters with fake domain validation phishing sites that imitate high-value sites to steal passwords and credit card numbers.

The genesis of the London Protocol, an initiative to improve identity assurance and minimize the possibility of phishing activity, rests on data presented by multiple sources indicating that anonymous domain validation SSL/TLS certificates are the principal reason for a recent rise in phishing attacks, along with our collective interest in preserving secure Internet transactions to protect both organizations and the user community who transacts with them.

The London Protocol's primary focus is to improve identity assurance and minimize the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain verified organization identity information (Identity Certificates) to tell users they will be safer at those sites. We chose the name "London Protocol" because we officially announced the agreement at the most recent face-to-face meeting of the Certificate Authority Security Council/Browser Forum in London last month.

The genesis of our action stemmed from a report from HashedOut noting that "between January 1st, 2016 and March 6th, 2017, the Let's Encrypt certificate authority issued a total of 15,270 SSL certificates containing the word 'PayPal.'" These Let's Encrypt certificates were issued to bad actors who used the name "PayPal" in their domains to trick online users into sending their personal data — in other words, to commit identity theft. The certificates issued by Let's Encrypt are solely domain-validated certificates, which means that they can be issued to anonymous websites because issuance is 100% automated.

Identity Certificates: A Brief History
Back in 2001, only OV identity certificates were used to secure websites. For most CAs, obtaining an OV certificate was a detailed process that could take time to complete. At the time, we needed a different kind of certificate for organizations that needed to get certificates faster for encrypted communications on less sensitive websites, which is why I was one of the inventors of Domain Validated (DV) certificates. The intention was to create a digital certificate that could be validated quickly where proof of website ownership was not as important for user security, such as blogs and information pages. We figured that limiting validation steps for DV certificates to proof of domain ownership would be sufficient because it would prevent fraudsters from getting certificates for domains they didn’t own.

Unfortunately, DV certificates are now being used in a way that was never intended, leading to a surge in phishing attacks on fake websites encrypted with DV certificates. Encryption assures that sensitive data is safely communicated to the domain owner. However, the absence of a confirmed organization identity means the data can get transmitted safely to a bad actor trying to steal user information.

To make websites even safer for users, I then joined a small group of co-inventors of the Extended Validation or EV certificate. EV certificates are issued only after a thorough and strict vetting procedure that follow standardized guidelines binding on all CAs. The EV certificates developed by the CA/Browser Forum are displayed in the browser address bar to confirm website identity, tell users who's behind the site, and offer potential recourse for any bad actions.

We tested our hypothesis that users are safer at OV and EV sites by collaborating with ComodoCA, recognized as one of the leaders in DV certificate issuance worldwide. Our research paper, "The Relative Incidence of Phishing among DV, OV and EV Encrypted Websites," shows that over 99.5% of encrypted websites with phishing content use DV certificates, while there is almost no phishing associated with OV and EV websites. The data confirms our hypothesis that OV and EV certificates are safer for users than DV.

But as safe as OV and EV websites are today, we want to make them even safer. This brings us to the London Protocol, under which five CAs from the CA Security Council are cooperating to improve identity assurance and minimize the possibility of phishing activity on identity websites. Each participating CA will work with its OV and EV customers to help them remove any phishing content on their websites to make identity websites even safer for users. This effort will help to counter the surge of DV phishing attacks across major brands and let users feel safer when visiting OV and EV sites.

Read more about the London Protocol's phased approach and hear from the other member certificate authorities.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Chris Bailey joined Entrust Datacard following its acquisition of Trend Micro SSL where he served as the general manager. Prior to that, Bailey served as the CEO and co-founder of the certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rmerkle
50%
50%
rmerkle,
User Rank: Apprentice
7/26/2018 | 12:31:22 PM
General User Education
Now that you hvae created three levels of domain certificates you need to provide a simple way for the general public to tell the which is in use at a site they go to and its relative level of security. Only then can the puboic begin to force web sites to use the safest certificate format, which is probabl the most effective say to get sites to improve their choicese in whcih certifcate to use. 

With different costs of use, even if only in the time to apply for a certifictate, expect web sites to favor the simplest and lowest cost certificate they can use, which will be the weakest. Therefore to be truly effective and have the greatest impact on security, you need to educate hte general public about them and how to tell them apart. When will such a program begin? Do you have good marketers prparing it? 
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...