Skip to main content
banner image
venafi logo

The London Protocol Aims to Expose the Misuse of Machine Identities in Phishing Attacks

The London Protocol Aims to Expose the Misuse of Machine Identities in Phishing Attacks

london protocol exposes phishing websites
July 3, 2018 | David Bisson

An advocacy group has announced the creation of a new protocol for the purpose of minimizing phishing activity on “identity websites.”

On 27 June, the Certificate Authority Security Council (CASC) unveiled the launch of the London Protocol at a CA/Browser forum event in London. The standard will help further differentiate websites encrypted with organization validated (OV) and extended validation (EV) certificates from websites protected by domain validated (DV) certificates. EV and OV certificates are collectively known as identity certificates because both of these types of machine identities contain organization identity information.

As of this writing, five public certificate authorities (CAs) have agreed to uphold the London Protocol and begin implementing its procedures. These entities are as follows: Comodo CA, Entrust Datacard, GlobalSign, GoDaddy and Trustwave.

Christian Simko, vice president of marketing for the Americas and EMEA at GlobalSign, said the London Protocol is all about maintaining authenticated websites’ integrity while minimizing anonymity online. As quoted in a press release:

"While there is no arguing that the advent of the encrypted internet is a move in the positive direction, it has unfortunately created user confusion and fostered an increased threat of phishing attacks with more websites being ‘secured’ with anonymous DV certificates."

The five participating CAs agreed to voluntarily band together under the London Protocol to contribute to a common database designed to reduce future phishing content on the web. Upon the database’s completion, other CAs can get guidance before issuing new OV and EV certificates. Additionally, the CAs will actively monitor phishing reports for websites encrypted with their OV and EV certificates and work with website owners if phishers hijack their sites.

According to a document published by the CASC in early June, the London Protocol’s implementation will proceed in four phases. GlobalSign and the others have already begun the first phase, which involves announcing the Protocol, researching its implementation and beginning to enact its basic procedures. Phase Two will begin in September 2018 when participating CAs start to apply the Protocol to their customers’ identity websites. December will mark the beginning of Phase Three when the participating CAs will develop policies and procedures for universal implementation of the Protocol across all CAs. This all culminates with Phase Four in March 2019 when the founding participants are slated to share their findings and recommend possible changes to the Baseline Requirements of the CA/Browser forum.

As the London Protocol gathers steam, organizations should take steps of their own to prevent phishers from misusing their OV and EV web certificates. A crucial part of this process involves gaining complete visibility into their machine identities. Learn how Venafi can help.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat