SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
Extended Validation Certs don't help
There has been a lot out the upcoming CA/Browser Forum???s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing....
Mike Fratto
January 27, 2007
1 Min Read
There has been a lot out the upcoming CA/Browser Forum???s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing. In a study conducted by Stanford University researchers titles An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks, they found that EV certificates had no effect on helping users identify fraudulent sites from legitimate sites.
However, EV certificates do neither. I kind of knew this intuitively and others I had talked to agreed. It appears the real benefit is to tell users that a particular website ponied up the extra cash for an EV certificate. Let???s face it, if a low assurance certificate (issued with very little validation) and a high assurance certificate (issue with stringer validation) look the same, what is the business driver, assuming you???re a legitimate business, in paying for a high assurance certificate? But with the green bar and other visual cues in browsers like IE7, EV certificates show up as green.
Four points tell the tale
Picture-in-picture attacks were as effective as homograph attacks.
Extended validation did not help users defend against either attack.
Extended validation did not help untrained users classify a legitimate site.
Training caused more real and fraudulent sites to be classified as legitimate.
The study is interesting to read. Check it out.
About the Author
You May Also Like
More Insights
