The London Protocol: a new anti-phishing initiative

The Certificate Authority Security Council (CASC) at the CA / Browser Forum in London announced the launch of a new initiative called the London Protocol. This initiative has the following objectives:

• more reliable confirmation of identifying information;
  
• minimise phishing for sites with OV and EV certificates.
  

Given the recent increase in phishing attacks, the London Protocol suggests a stronger distinction between sites with DV certificates and sites with OV and EV certificates.

The initiative will be implemented on a voluntary basis with the involvement of certification authorities, which will carry out the following tasks:

• Actively monitor phishing reports for sites with OV and EV certificates issued by this certification authority.
  
• Notify the affected site owner that phishing content has been detected and offer instructions for resolving the problem along with security measures.
  
• Replenish a common database to reduce the amount of phishing content. This data will be available to other certification authorities so that they can conduct additional research before issuing OV and EV certificates.
  
• Develop a namespace collisions system to prevent the Stripe threats vector (https://stripe.ian.sh).
  

When issuing DV certificates, certification authorities are not obliged to check the organisation's details. Many DV certificates are released anonymously without any contact information, which makes it easier to use them for phishing purposes.

For the issuance of OV and EV certificates, certification authorities should check the organisation’s information, which can be done in different ways. To improve security on the web and awareness of OV and EV certificates, certification authorities within the framework of the London Protocol will interact with each other to ensure the security of confirmation of identifying data and minimise phishing for sites with OV and EV certificates.

The implementation of the London Protocol will be carried out step by step:

• June-August 2018. Certification authorities are developing the initiative and are beginning to implement some basic procedures.
  
• September-November 2018. Certification authorities will apply protocol concepts to customer sites with OV and EV certificates, relying on their own policies and procedures, exchange feedback with other certification authorities and update the protocol based on experience gained.
  
• December 2018-February 2019. Certification authorities will update the protocol policies and procedures, and approve a plan for unifying policies and procedures that should be applied by certification authorities on a voluntary basis.
  
• March 2019. Certification authorities will prepare a report and their recommendations for the CA / Browser Forum on possible changes in Baseline Requirements.
  

The London protocol is an attempt to return to the goal for which EV and OV certificates were created - to ensure users' confidence and the security of the transmitted data.

Subscribe to our updates to always be aware of developments in the field of SSL and online security!