iTnews

TLS cert issuers join forces to shore up trust

By Juha Saarinen, iTnews on Jun 28, 2018 11:10AM
TLS cert issuers join forces to shore up trust

Fighting phishing scourge.

Five large issuers of Transport Layer Security certificates have launched The London Protocol to improve identity assurance for websites, following a recent rise in phishing fraud using digital credentials to impersonate legitimate organisations.

TLS certificates for websites come in three flavours: the Organisation Validated and Extended Validation (OV and EV) certificates provide website visitors and their browsers with organisation identity information as the name implies.

Certificate authorities are required to verify that organisations are who they say they are through documents such as business licenses before OV and EV credentials can be issued.

However, anonymous, often free and automatically issued Domain Validated (DV) TLS certificates lack organisation identity information, and are being abused by phishers.

“While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates,” said Christian Simko of digital credentials issuer GlobalSign.

Starting in June this year, large certificate authorities Comodo, Entrust Datacard, Globalsign, GoDaddy and Trustwave will work together to boost the integrity of OV and EV credentials for websites.

Over a ten-month period, the five issuers will hammer out better policies and procedures to ensure that online users can tell the difference between websites encrypted with OV and EV certificates, and ones that use the less secure and phishing prone DV credentials.

The London Protocol will be voluntary to follow for certificate authorities.

Among the actions to be taken are active monitoring of phishing reports for websites encrypted by the certificate authority's own OV and EV certificates.

Once a phishing report has been filed, the certificate authority in question undertakes to notify the owner of the website affected and provide clean-up and prevention instructions and advice.

The certificate authorities in The London Protocol will also build a common database to reduce future phishing attempts.

This database will be made available to other certificate authorities as well, who can query it for additional due diligence before new OV or EV certificates are issued to websites.

Come March 2019, the five hope to present their report and recommendations to the industry organisation CA/Browser Forum in which vendors such as Google, Mozilla, Microsoft and Apple participate, for potential changes to the Baseline Requirements which set out the policies under which TLS certificates are accepted by web browsers and other software.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
comodo entrust datacard globalsign godaddy phishing security ssl the london protocol tls trustwave

Partner Content

Beat the DDoS blackmails in 2021
Partner Content Beat the DDoS blackmails in 2021
Why companies fail at picking cloud modernisation partners
Partner Content Why companies fail at picking cloud modernisation partners
Shut the door on ransomware
Partner Content Shut the door on ransomware
MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics

Sponsored Whitepapers

Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution
Effectively addressing advanced threats
Effectively addressing advanced threats
The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • Beat the DDoS blackmailers in 2021
By Juha Saarinen, iTnews
Jun 28 2018
11:10AM
0 Comments

Related Articles

  • Salesforce open sources malicious server scanner
  • RAT scammers pose as the Australian Cyber Security Centre
  • FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'
  • Scouts Victoria data breach potentially nets 900 people's personal details
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Australia Post is building a digital twin of its delivery network

Australia Post is building a digital twin of its delivery network

Google threatens to withdraw search engine in Australia

Google threatens to withdraw search engine in Australia

Trump pardons former Google self-driving car engineer

Trump pardons former Google self-driving car engineer

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.