EV SSL certs and phishing

March 5, 2008

Extended Validation (EV) SSL certs launched about a year ago were supposed to be a powerful weapon against phishing. The reality is proving to be less promising.

Of course, true believers remain. PayPal recently raised eyebrows when it recommended that customers stop using Apple’s Safari browser. One of the reasons cited was its lack of support for EV certs.

When a website has EV certs, the address bar in browsers (IE 7, Firefox 3) turns green. According to VeriSign, “There is a natural positive psychological impact when a person sees the green address bar.”

The reality is somewhat different. An oft-quoted study by Stan U and Microsoft in September 2006 concluded that, “We did not find that extended validation provided a significant advantage in identifying the phishing attacks tested in this study.” More recently a survey conducted by UK managed hosting company NetBenefit found that “70% of shoppers don’t understand the significance of the green browser bar.”

EV certs primarily depend upon two assumptions to be effective against phishing. Both of these seem to be flawed:

- First, that the bad guys can’t get EV certs. The problem is that the two pieces of information that the Guidelines for issuing certs require to prove that a “legal entity” exists is not really a problem for the bad guys. All they need is proof of incorporation and a physical business address. These hardly present an insurmountable hurdle.

- Second, that people will understand what the address bar in their browser turning green means. More importantly, if it does not turn green when it should, they would detect and understand what was happening and stop interacting with the site. As the research shows, at least currently, this is simply not happening. While PayPal and others believe that this is only a matter of time, in my view relying on people to implement your security feature is a big ask.

So, should a site get EV certs knowing that they probably won’t stop phishing and the main gainer is the CA who gets extra money over ordinary SSL certs? Unfortunately, the answer is yes. Not because they provide any real benefit but because they do no harm. And that’s hardly a strong endorsement of the great hopes that backers of EV certs held out a year back.

Entry Filed under: fraud, network, security. .

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

These are my personal views. See the About page for more info.

Top Posts

Category Cloud

2FA Aus authentication biometrics Canada data_breach fraud government identity ID_cards igovt Info_Cards interop Lib_Alliance network NZ OpenID personal_info PKI privacy report SAML security strategy trust UK USA video Web_2.0

Feeds

 Subscribe in a reader

Get posts by email

Subscribe to Identity and Privacy Blog by Email

Blogroll

identity

Locations of visitors to this page