EV SSL: Dead on Arrival?

Research by Microsoft, Stanford says surfers aren't any safer with new Web site certification standard

January 31, 2007

2 Min Read
Network Computing logo

9:00 AM -- Next week at the RSA convention in San Francisco, users will get their first look at implementations of Extended Validation SSL with Microsoft's IE 7 browser. The new technology is designed to show Web surfers a "green bar" to indicate that the sites they click to are legitimate, non-phishing sites.

A week later, at the upcoming Usable Security '07 conference in Trinidad & Tobago, researchers from Microsoft and Stanford University will present a paper that says EV SSL doesn't work.

The paper, which was completed in 2006, is the culmination of an extensive study that the Microsoft and Stanford researchers conducted on Web users last year. The goal of the study was to find out whether users would be less likely to go to a phishing site if an EV SSL certificate warned them of the danger.

"Unfortunately, participants who received no training in browser security features did not notice the [EV] indicator and did not outperform the control group," the study says. "The participants who were asked to read the IE help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear."

In essence, the study suggests that the EV SSL doesn't help users -- particularly untrained users -- to avoid phishing sites.

And even if it did, it's not clear that EV SSL would stop the most sophisticated phishers, the study says. "If EV becomes widespread, we expect that online criminals will try to mimic its trust indicator, just as they have copied other legitimate financial sites in the past," the paper says.

The Microsoft-Stanford paper adds fuel to the controversy over EV SSL's potential effectiveness, which has been raised by other critics as well. Many experts say that the technology's means of certifying Web sites -- requiring a street address and letters of incorporation -- is both unreliable and unfair to smaller businesses. (See Cybertrust Enters EV SSL Fray.)

With well-founded criticism of its underlying means of certifying Web sites and its usability by real end users, EV SSL faces an uphill struggle -- even before it gets out of the gate. It will be interesting to see how EV SSL vendors such as Cybertrust and VeriSign position the technology as they demonstrate new products next week.

— Tim Wilson, Site Editor, Dark Reading

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights