Verifiable Labels for Digital Services: A New Approach to Phishing Detection

Users often feel unsafe and unsecure when using digital services. For normal users lacking a technical background, it is difficult to recognize a website’s legitimacy. This makes them vulnerable to cyberthreats such as phishing attacks. In order to solve this issue, many organizations use corporate designs or logos to guide users through their websites. However, these files can be easily copied. More technical means are also advertised as solutions, like trusted Transport Layer Security (TLS) certificates with Extended Validation (EV) certificates, but they are too complicated for non-technical users and barely change the outcome. Right now, users lack a way to easily verify that they are using the intended digital service. Verifiable Labels uses cryptographic identifiers—e.g., from the TLS Public Key Infrastructure (PKI)—to bind an entity’s label to its identifiable key pair, is a potential solution. Instead of trying to provide automated trust, Verifiable Labels acknowledge the presence of ill-intentioned entities. In order to differentiate them from trustworthy actors, cryptographic tools are used to define metrics, which allow a user client to form easily understandable recommendations and analyze a certain actor’s reputation, thus allowing users to naturally develop an opinion and make an educated guess as to whether an entity is trustworthy or not. The end goal would be that most websites asking for some level of trust use Verifiable Labels. This not only has the potential to directly impact Internet users, but also to act as a guiding light for security companies. Since all participating websites would be listed with their reputation metrics, it becomes easier to identify high-risk websites and perform pertinent in-depth analysis in order to take action against phishers faster.