News

11:00 AM
Connect Directly
RSS
E-Mail
50%
50%

EV SSL: Dead on Arrival?

Research by Microsoft, Stanford says surfers aren't any safer with new Web site certification standard

9:00 AM -- Next week at the RSA convention in San Francisco, users will get their first look at implementations of Extended Validation SSL with Microsoft's IE 7 browser. The new technology is designed to show Web surfers a "green bar" to indicate that the sites they click to are legitimate, non-phishing sites.

A week later, at the upcoming Usable Security '07 conference in Trinidad & Tobago, researchers from Microsoft and Stanford University will present a paper that says EV SSL doesn't work.

The paper, which was completed in 2006, is the culmination of an extensive study that the Microsoft and Stanford researchers conducted on Web users last year. The goal of the study was to find out whether users would be less likely to go to a phishing site if an EV SSL certificate warned them of the danger.

"Unfortunately, participants who received no training in browser security features did not notice the [EV] indicator and did not outperform the control group," the study says. "The participants who were asked to read the IE help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear."

In essence, the study suggests that the EV SSL doesn't help users -- particularly untrained users -- to avoid phishing sites.

And even if it did, it's not clear that EV SSL would stop the most sophisticated phishers, the study says. "If EV becomes widespread, we expect that online criminals will try to mimic its trust indicator, just as they have copied other legitimate financial sites in the past," the paper says.

The Microsoft-Stanford paper adds fuel to the controversy over EV SSL's potential effectiveness, which has been raised by other critics as well. Many experts say that the technology's means of certifying Web sites -- requiring a street address and letters of incorporation -- is both unreliable and unfair to smaller businesses. (See Cybertrust Enters EV SSL Fray.)

With well-founded criticism of its underlying means of certifying Web sites and its usability by real end users, EV SSL faces an uphill struggle -- even before it gets out of the gate. It will be interesting to see how EV SSL vendors such as Cybertrust and VeriSign position the technology as they demonstrate new products next week.

— Tim Wilson, Site Editor, Dark Reading

  • Cybertrust
  • Microsoft Corp. (Nasdaq: MSFT)
  • VeriSign Inc. (Nasdaq: VRSN)

    Comment  | 
    Print  | 
    More Insights
  • Slideshows
    Cartoon
    Audio Interviews
    Archived Audio Interviews
    Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
    White Papers
    Register for Network Computing Newsletters
    Current Issue
    Research: 2014 State of the Data Center
    Research: 2014 State of the Data Center
    Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
    Video
    Twitter Feed