EV SSL certs and phishing
Extended Validation (EV) SSL certs launched about a year ago were supposed to be a powerful weapon against phishing. The reality is proving to be less promising.
Of course, true believers remain. PayPal recently raised eyebrows when it recommended that customers stop using Apple’s Safari browser. One of the reasons cited was its lack of support for EV certs.
When a website has EV certs, the address bar in browsers (IE 7, Firefox 3) turns green. According to VeriSign, “There is a natural positive psychological impact when a person sees the green address bar.”
The reality is somewhat different. An oft-quoted study by Stan U and Microsoft in September 2006 concluded that, “We did not find that extended validation provided a significant advantage in identifying the phishing attacks tested in this study.” More recently a survey conducted by UK managed hosting company NetBenefit found that “70% of shoppers don’t understand the significance of the green browser bar.”
EV certs primarily depend upon two assumptions to be effective against phishing. Both of these seem to be flawed:
– First, that the bad guys can’t get EV certs. The problem is that the two pieces of information that the Guidelines for issuing certs require to prove that a “legal entity” exists is not really a problem for the bad guys. All they need is proof of incorporation and a physical business address. These hardly present an insurmountable hurdle.
– Second, that people will understand what the address bar in their browser turning green means. More importantly, if it does not turn green when it should, they would detect and understand what was happening and stop interacting with the site. As the research shows, at least currently, this is simply not happening. While PayPal and others believe that this is only a matter of time, in my view relying on people to implement your security feature is a big ask.
So, should a site get EV certs knowing that they probably won’t stop phishing and the main gainer is the CA who gets extra money over ordinary SSL certs? Unfortunately, the answer is yes. Not because they provide any real benefit but because they do no harm. And that’s hardly a strong endorsement of the great hopes that backers of EV certs held out a year back.