Extended Validation Certs don't help

There has been a lot out the upcoming CA/Browser Forum???s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing....

Mike Fratto

January 27, 2007

1 Min Read
Network Computing logo

There has been a lot out the upcoming CA/Browser Forum???s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing. In a study conducted by Stanford University researchers titles An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks, they found that EV certificates had no effect on helping users identify fraudulent sites from legitimate sites.

However, EV certificates do neither. I kind of knew this intuitively and others I had talked to agreed. It appears the real benefit is to tell users that a particular website ponied up the extra cash for an EV certificate. Let???s face it, if a low assurance certificate (issued with very little validation) and a high assurance certificate (issue with stringer validation) look the same, what is the business driver, assuming you???re a legitimate business, in paying for a high assurance certificate? But with the green bar and other visual cues in browsers like IE7, EV certificates show up as green.

Four points tell the tale

  • Picture-in-picture attacks were as effective as homograph attacks.

  • Extended validation did not help users defend against either attack.

  • Extended validation did not help untrained users classify a legitimate site.

  • Training caused more real and fraudulent sites to be classified as legitimate.

The study is interesting to read. Check it out.

About the Author(s)

Mike Fratto

Former Network Computing Editor

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights