EV SSL certs and phishing

March 5, 2008 at 11:50 pm 2 comments

Extended Validation (EV) SSL certs launched about a year ago were supposed to be a powerful weapon against phishing. The reality is proving to be less promising.

Of course, true believers remain. PayPal recently raised eyebrows when it recommended that customers stop using Apple’s Safari browser. One of the reasons cited was its lack of support for EV certs.

When a website has EV certs, the address bar in browsers (IE 7, Firefox 3) turns green. According to VeriSign, “There is a natural positive psychological impact when a person sees the green address bar.”

The reality is somewhat different. An oft-quoted study by Stan U and Microsoft in September 2006 concluded that, “We did not find that extended validation provided a significant advantage in identifying the phishing attacks tested in this study.” More recently a survey conducted by UK managed hosting company NetBenefit found that “70% of shoppers don’t understand the significance of the green browser bar.”

EV certs primarily depend upon two assumptions to be effective against phishing. Both of these seem to be flawed:

– First, that the bad guys can’t get EV certs. The problem is that the two pieces of information that the Guidelines for issuing certs require to prove that a “legal entity” exists is not really a problem for the bad guys. All they need is proof of incorporation and a physical business address. These hardly present an insurmountable hurdle.

– Second, that people will understand what the address bar in their browser turning green means. More importantly, if it does not turn green when it should, they would detect and understand what was happening and stop interacting with the site. As the research shows, at least currently, this is simply not happening. While PayPal and others believe that this is only a matter of time, in my view relying on people to implement your security feature is a big ask.

So, should a site get EV certs knowing that they probably won’t stop phishing and the main gainer is the CA who gets extra money over ordinary SSL certs? Unfortunately, the answer is yes. Not because they provide any real benefit but because they do no harm. And that’s hardly a strong endorsement of the great hopes that backers of EV certs held out a year back.

Entry filed under: fraud, network, security.

US: Admiring the TSA Privacy Gateway

2 Comments Add your own

  • 1. KOTHEA - Passionate About Fabrics For Top Designers  |  August 8, 2010 at 12:17 pm

    hi, thank you for your thoughts in the post. I note that some ev ssls come with insurance but some related questions for you if you wouldn’t mind:

    1. Do any SSL actually DIRECTLY boost your pagerank ie just by having a certificate is your score higher.
    2. If you get one do you have to go an change ALL your backlinks to https://…. from http://…? or is there some automatic thing on your host which defaults to https (but still allows http)
    3. For EV SSL is there any better or cheaper provider than godaddy.com? (I don’t work for them!)

  • 2. 411 New York  |  November 11, 2011 at 2:18 pm


    1. It did for us. We just added a verified SSL cetificate about a month ago and the SSL version has a PR4 on every page on our site. The non-SSL ranges from PR0 to PR3.

    2. the .htaccess file can redirect traffic to the https version. ONLY do this if you will continue to renew your certificate each year. If you let it expire, then the browser will give warnings to all that search engine traffic coming in to the https version. Best thing to do is “code” a link on the page that redirects to the https version and use nofollow.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: