Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Extended Validation Certs don't help

There has been a lot out the upcoming CA/Browser Forum???s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing.
In a study conducted by Stanford University researchers titles An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks, they found that EV certificates had no effect on helping users identify fraudulent sites from legitimate sites.

However, EV certificates do neither. I kind of knew this intuitively and others I had talked to agreed. It appears the real benefit is to tell users that a particular website ponied up the extra cash for an EV certificate. Let???s face it, if a low assurance certificate (issued with very little validation) and a high assurance certificate (issue with stringer validation) look the same, what is the business driver, assuming you???re a legitimate business, in paying for a high assurance certificate? But with the green bar and other visual cues in browsers like IE7, EV certificates show up as green.

Four points tell the tale

  • Picture-in-picture attacks were as effective as homograph attacks.
  • Extended validation did not help users defend against either attack.
  • Extended validation did not help untrained users classify a legitimate site.
  • Training caused more real and fraudulent sites to be classified as legitimate.

The study is interesting to read. Check it out.