TMCnet News
CASC Announces Launch of London Protocol to Improve Identity Assurance and Minimize Phishing on Identity WebsitesLONDON, June 27, 2018 (GLOBE NEWSWIRE) -- The Certificate Authority Security Council (CASC), an advocacy group committed to the advancement of the security of websites and online transactions, announced at the CA/Browser Forum event in London the launch of the London Protocol – an initiative to improve identity assurance and minimize the possibility of phishing activity on websites encrypted with organization validated (OV) and extended validation (EV) certificates, which contain organization identity information (Identity Certificates). Following the recent rise in phishing attacks, five certificate authorities (CAs) from CASC developed the London Protocol to reinforce the distinction between Identity Websites and websites encrypted by domain validated (DV) certificates, which lack organization identity. Participating CAs include Comodo CA, Entrust Datacard, GlobalSign, GoDaddy and Trustwave.
“At its core, the London Protocol is designed t get back to the root of what EV and OV certificates were created for – providing online consumers better trust and assurance," said Tony Perez, head of security products at GoDaddy. Once the third phase of the Protocol is complete, the result of the London Protocol will be released to improve processes, maintain the integrity of authentic websites and increase user awareness, particularly when it comes to identifying an authentic website from a phishing attack. “While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates,” said Christian Simko, vice president of marketing, Americas and EMEA, at GlobalSign. Although affordable and often automatic, issuing DV certificates does not require CAs to verify the organization identity. Many DV certificates are issued anonymously without legitimate contact information making it easy for phishers to get them for fraudulent purposes. “Security is best handled through layers, no single layer is 100 percent impenetrable,” said Bill Holtz, CEO at Comodo CA. Conversely, before an OV or EV certificate can be issued, CAs are required to verify the organization information using verifiable documents, such as a government-issued business license, providing an additional layer of validation to the process. “Based on our research, we found that anonymity on the internet breeds nefarious activity,” said Chris Bailey, VP of strategy and business development for certificate services at Entrust Datacard. “We believe the internet will be safer for users if the sites they are visiting are organizationally identified.” To improve internet security and awareness of these high-assurance certificates, participating CAs, will collaborate on the London Protocol to find best security practices for identity assurance and minimize phishing on identity websites. “As cybercriminals continue to become more adept at bypassing security controls protecting website integrity, identity-based certificates will be crucial for safer online experiences,” said Robert J. McCullen, CEO of compliance at Trustwave. Related resources:
For more information about CASC and its members, visit: https://casecurity.org/. About the CASC Contact: |