Extended Validation Certs don't help
There has been a lot out the upcoming CA/Browser Forum???s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing....
January 27, 2007
There has been a lot out the upcoming CA/Browser Forum???s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing. In a study conducted by Stanford University researchers titles An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks, they found that EV certificates had no effect on helping users identify fraudulent sites from legitimate sites.
However, EV certificates do neither. I kind of knew this intuitively and others I had talked to agreed. It appears the real benefit is to tell users that a particular website ponied up the extra cash for an EV certificate. Let???s face it, if a low assurance certificate (issued with very little validation) and a high assurance certificate (issue with stringer validation) look the same, what is the business driver, assuming you???re a legitimate business, in paying for a high assurance certificate? But with the green bar and other visual cues in browsers like IE7, EV certificates show up as green.
Four points tell the tale
Picture-in-picture attacks were as effective as homograph attacks.
Extended validation did not help users defend against either attack.
Extended validation did not help untrained users classify a legitimate site.
Training caused more real and fraudulent sites to be classified as legitimate.
The study is interesting to read. Check it out.
About the Author(s)
How to Amplify DevOps with DevSecOps
May 22, 2024Generative AI: Use Cases and Risks in 2024
May 29, 2024Smart Service Management
June 4, 2024