TLS cert issuers join forces to shore up trust

Five large issuers of Transport Layer Security certificates have launched The London Protocol to improve identity assurance for websites, following a recent rise in phishing fraud using digital credentials to impersonate legitimate organisations.

Phishing is being aided by the use of certain certificates.

TLS certificates for websites come in three flavours: the Organisation Validated and Extended Validation (OV and EV) certificates provide website visitors and their browsers with organisation identity information as the name implies.

Certificate authorities are required to verify that organisations are who they say they are through documents such as business licenses before OV and EV credentials can be issued.

However, anonymous, often free and automatically issued Domain Validated (DV) TLS certificates lack organisation identity information, and are being abused by phishers.

“While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates,” said Christian Simko of digital credentials issuer GlobalSign.

Starting in June this year, large certificate authorities Comodo, Entrust Datacard, Globalsign, GoDaddy and Trustwave will work together to boost the integrity of OV and EV credentials for websites.

Over a ten-month period, the five issuers will hammer out better policies and procedures to ensure that online users can tell the difference between websites encrypted with OV and EV certificates, and ones that use the less secure and phishing prone DV credentials.

The London Protocol will be voluntary to follow for certificate authorities.

Among the actions to be taken are active monitoring of phishing reports for websites encrypted by the certificate authority's own OV and EV certificates.

Once a phishing report has been filed, the certificate authority in question undertakes to notify the owner of the website affected and provide clean-up and prevention instructions and advice.

The certificate authorities in The London Protocol will also build a common database to reduce future phishing attempts.

This database will be made available to other certificate authorities as well, who can query it for additional due diligence before new OV or EV certificates are issued to websites.

Come March 2019, the five hope to present their report and recommendations to the industry organisation CA/Browser Forum in which vendors such as Google, Mozilla, Microsoft and Apple participate, for potential changes to the Baseline Requirements which set out the policies under which TLS certificates are accepted by web browsers and other software.