The London Protocol Takes Action to Improve Identity Assurance for SSL/TLS Certificates

By Chris Bailey, VP of Strategy, Entrust Datacard

You can’t ignore the data. It points to a surge in phishing attacks on websites that lack a confirmed identity. These phishing attacks originate from anonymous, lookalike websites that often use brand names in their encrypted URLs to trick the user community. The salient point is that anonymity gives bad actors the cover they need to carry out nefarious online activity. The lack of any identifying information on a website makes it impossible to track the nefarious activity back to the perpetrator.

The London Protocol is an initiative brought forward by five competitor certification authorities (CAs who are banding together in an effort to eliminate the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain verified organization identity information (Identity Certificates). These “identity websites” are already demonstrably safer for users than anonymous DV websites. Under the London Protocol, participating CAs will work with any OV or EV customers they find with phishing content on their sites (most often from hacking unknown to the website owners — and help them remove the content and strengthen their sites so users are even safer, as compared to DV sites. We chose the name “London Protocol” because we officially announced the agreement at the most recent CA/Browser Forum meeting in London.

CAs collectively serve organizations of all sizes by providing secure online transactions and identity assurance. A critical analysis by Forrester® reveals that, “82% of firms are concerned fraudsters could imitate their website.” According to their recent report, What Does “Secure” Really Mean? Perception and Expectations on Browser UI Security Indicators. Phishing attacks are not just on our minds, but they are on the minds of many of the IT executives surveyed who work in the finance and retail industries. This guides our collective efforts to promote website security by defending against phishing attacks.

A report by HashedOut revealed that, “Between January 1st, 2016 and March 6th, 2017, Let’s Encrypt has issued a total of 15,270 SSL certificates containing the word “PayPal”.” Let’s Encrypt uses 100% automation to issue domain validated (DV) certificates, which means that websites can get these certificates with complete anonymity. These certificates were issued to bad actors who used the name PayPal in their domain to commit identity theft by tricking online users into sending their personal data. This article was an early warning signal that steps needed to be taken to protect organizations and the user community from being tricked into making digital transactions on phishing sites.

Before jumping to conclusions, we needed to test our hypothesis that identity websites were safer than anonymous websites. We collaborated with Comodo, recognized as one of the leaders in DV certificate issuance worldwide, on a research paper, the Relative Incidence of Phishing Among DV, OV and EV Encrypted Websites. The research included data provided by Phishbank and Netcraft and showed us that over 99.5% of encrypted websites that are associated with phishing attacks use DV certificates. According to Phishbank, that number jumped to 99.8% in May 2018 — of the 4,932 encrypted phishing sites they found, 99.8% of them used DV certificates as opposed to OV or EV certificate types. In contrast, there is almost no phishing on OV or EV sites, and the London Protocol aims to help identity websites remove any phishing content that may be added by hackers.

Fraudsters follow the money – the money is online and the way to get it is by stealing information the user community transmits during online transactions through look-alike sites that imitate major brands. Fraudsters will continue to come up with clever new scams to get to the money. Several sources point to the fact that phishing activity on websites encrypted with DV certificates, which lack a confirmed identity, are on the rise. We know that a tougher vetting process focused on the identity of the website owner is what’s needed to protect the user community and the brands they transact with – this is the added protection that identity websites bring.

The initial five CAs who are participating in London Protocol are addressing these issues by making OV and EV websites – already much safer than anonymous DV websites – even safer for users by working with their identity certificate customers. It’s an exciting new approach to improving user safety and adding transparency to who is behind websites the user is visiting. Other CAs are already expressing interest in joining, and we will publish our results in coming months showing the impact we are having.

Read more about the London Protocol’s phased approach and hear from the other member CAs.

About the Author

Chris Bailey | Vice President of Strategy for Entrust Datacard’s certification authority. Bailey joined Entrust Datacard following its acquisition of Trend Micro SSL where he served as the General Manager. Prior to that, Bailey served as the CEO and co-founder of the certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as co-founder and CTO of GeoTrust, a major global certification authority that was acquired by VeriSign in 2006.

Having served in the industry since 1998, Bailey is a current and founding member of industry standard groups the CA/B Forum and the CA Security Counsel where hecontinues to actively promote industry best practices and education.

Bailey is a co-creator of Extended Validation and Domain Validated Certificates used in SSL/TLS connections.

Bailey holds a MBA in Finance and Strategy, Goizueta Business School, Emory University and a BS Finance, Insurance and Economic Security, University of South Carolina.