Slashdot Mirror
Study Finds IE7 + EV SSL Won't Stop Phishing
An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."
Then the reality must be much, much worse...
It's a user education problem, and it's probably too late. SSL has long been missold to end users as an indication of security and trust; it may well secure some communications but the trust aspect is bogus. The newer certificates attempt to add a more measurable trust metric, but without user education it will be useless. Warnings on screen simply get ignored. The study could have equally been done with Opera (which supports the new eval certificates. In addition they also used Firefox on the Mac to indicate a homograph attack.
Always ask yourself why they need it, and do you trust them to secure your information.
In Canada right now their are two separate credit card breaches under investigation. This isn't even a phishing thing, this is just plain old sloppy security.
I suspect that there are many other breaches that haven't been detected and or reported. So I strongly recommend that you refuse to give out personal information to these locations. Don't sign up for rewards cards, don't let them collect your address, and phone, and SSN, when you buy a t-shirt. They don't need it! And I don't trust them.
www.jmagar.com
-
CRACKING, HACKING and LAUGHING are effective, WHINGE isn't.
Any problem that relies solely on user education/training is doomed to failure because most users don't care or don't want to be trained. They just want it to work
"training users actually decreases their ability to detect attacks".
Or you're teaching skills are worth absolute *shit*
I've refused to buy these new certificates as it is unclear as to what you are purchasing. I'm not sure why this costs more than the regular $995 certificates that Verisign already offers. It seems that the customer has to pay for Verisign more money to do a better job (of doing what they are already supposed to be doing). You should be verifying companies adequately who purchase your $995 certificates.
I am sure Microsoft would be happy of your proposal
Basically what you say is to give Bill Gates the key of the entire Internet (since the web is the internet now)
These "EV certificates" are a joke. If you've been in the industry 5 years or more, you know that the pitch surrounding these certs is 100% identical to the pitch used to sell regular, commercial-CA-signed certs 5 years ago.
Users are right to be confused. When connecting to "consumer" applications from home they might see the IE green bar, but then they go to work and get used to seeing the IE red bar to connect to all their partners' "B2B" websites all day. (Lots, if not most companies seem to use self-signed certs or give out IP addresses to connect to rather than hostnames that match with a valid CA-signed cert for business-to-business web applications.)
people actually turn this 'feature' ON?
I recently got an account in Fidelity, one of the largest mutual funds with assets in billons of dollars. It has 6 to 10 digit numerical password. No special characters, no alphabets. Very simple authentication system. They should know that they will attract phishers and scammers like honey draws the bees. But still the top level decision makers still think like, "my customer is 65 years old and is not tech savvy. They will get confused, make it easy and simple for them". They are making it easy and simple for the phishers and scammers too. Schwab too has a simple username-password. Vanguard is a little better. It monitors the IP address of past logins and puts you through tougher login session first time you log in from a new location. Also it tries to login using two screens and displays a user selected personalization picture and caption to authenticate the server. My bank is horrible with just a four digit numerical password (for the quicken on line access atleast). Fidelity also uses Social Security number as a login id by default. Was not impressed by the login authentication methods of Alex Brown, National Discount Broker, Ameritrade and MFS in the past. Someday they are going to lose millions of dollars and then they will swing in the completely opposite direction and make use climb Mount Everest just to log in.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It's a pity that, although other browsers are mentioned in the article, they were not used in the experiments so there is no way of comparing them to IE7, and thus we can not use this article to bash IE7. At least, not if you want to use facts.
-- Cheers!
Of course they're inneffective. Phishing is not an IE problem or a "security" problem. It's a trust problem. If someone was going door to door claiming to be a representative of a bank and asking for account numbers, most people would turn him away and call the cops. Why do we then trust a link in some unsolicited eMail with the same information? Geez.
What's unfortunate here is that since Microsoft, via IE7, made the attempt to protect users from phishing, now they have some degree of responsibility to fix what they never can. Don't claim that you will fix something if you cannot.
blah blah blah
All the Certificate Authorities are a bunch of extortionists anyway.
As far as IE is concerned: Even PC World recommends against IE and all they do is promote Microsoft garbage.
PC-World - Is it safe to use IE again?
Let us imagine that we have an email message that takes us to a phishing site. But instead of taking us to a Web page we get a web page within the Web page. Is the user likely to notice? I suspect so.
The experiments don't test that scenario, instead they test the scenario where the user has a browser open with a PIP browser already there. This is a rather easier lay up.
I have spent quite a bit of time working on security usability testing including EV. It is really hard to design a realistic experiment. If you put users in a lab environment they react very differently. In particular in a lab environment they are much more tolerant of errors than in a home environment, they expect things to be not quite right. This means that many security cues are suppressed entirely.
The user experiences we are testing are all designed to be minimaly intrusive. That is they are designed for regular use every day. The idea is not that someone visits their bank, sees the green bar and thinks they are safe. The idea is that they visit their bank fifty to a hundred times seeing the green bar every single time and then notice it is not there in an attack scenario.
Ultimately the objective of EV is not to stop phishing, it is to provide accountability. If you go to the EV site you should know that the site has been authenticated and you can either hold the site accountable or the issuer of the cert. This may reduce phishing, but it is not by itself going to eliminate it.
Ultimately the test that matters here is how people react in a large scale deployment. The cost of phishing is huge. It is a very visible attack that eats up a huge amount of customer service and staff resources besides the cost of the actual fraud losses (secondary losses are much higher). If EV reduces those costs by even a few percent it more than pays for itsef.
The idea of EV was not to protect banks though, it was to protect customers. The user experience is not fixed for all time. If the IE7 EV experience does not work then we can change it to make it better. At this point however we need the type of data that you can only get from large scale deployment to know.
If you know to look for the green bar you will be a lot safer than you are now. The problem is how to design something that is pervasive without being invasive.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
You are confusing 2 things, but you will not be alone. SSL / certificates only protect WHO is certified, not what that party is doing. You can get a certificate for a company "click ok button" and get certified for this. All the user can do i maybe retrieve your real identity. Paypal (of course) has a good certificate. That does not mean paypal is good, or cares about your money. It only says Paypal is Paypal, not what is paypal is doing with your money or even in what country.
But your advice is correct: don't volunteer too much information.
Nice Troll... Dipshit.
I don't agree completely with you.
Most B2B shops i know here in switzerland use a cert signed by a well-known CA.
However, most internal IT like webmail (Outlook Web Access or Lotus), etc. uses internals CAs, which are only recognized on managed machines (Active Directory, Novell, whatever).
The study didn't actually evaluate the effectiveness of EV Certificates. It evaluated the effectiveness of the mechanism used by Internet Explorer 7 to display the information contained inside SSL certificates. Big difference.
They recently implemented an excellent anti-phishing measure: An image and a phrase.
They had a gallery of 100+ images. I chose a specific one -- an image of mars. They also gave you a phrase. I chose "ALL HAIL XENU!!".
Now, it asks for username first. After you give it the username, it shows the image of mars, as well as "ALL HAIL XENU!!". I then know it is actually the right site, and I can put in my password. No phisher is going to be able to know what phrase I typed in. This is very secure and requires no fancypants technology.
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
"...training users actually decreases their ability to detect attacks."
Now you can't even TRAIN users to use Windows securely!
Oh, this is too much! I'm crapping on myself laughing!
Somebody put Microsoft out of business NOW! Please!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
http://www.ranum.com/security/computer_security/ed itorials/dumb/
So called "User Education" is a silly idea. Simply put as the editorial highlights, if it was going to work, it would have worked by now. On the other hand this seems like an issue with IE itself where IE should never be asking "Is this okay?" in the first place.
On the one hand, users shouldn't be doing this and falling prey to phishing. On the other hand, why is IE enabling it to happen? Throwing up another "Do you want to do this? Yes/No" is not security nor is it a secure process.
This is a thinly veiled protection racket. You're a sole proprietorship, general partnership or individual? You will be labeled as a possible phishing site, and lose potential customers. You are a small (or large) business? Pay up the $1300.00 per year, or you will be labeled a possible criminal and lose business too. These certificates offer the business nothing of value. Pure racketeering, and potentially slanderous in nature. This does little to actively protect the consumer, and once this gets hacked (my guess is sooner than later) it will do nothing to protect consumers. This only works in favor of large corporations by decreasing competition from the little guys. Sic 'em, Guido! It has been claimed that the issue with small businesses & EV certification is moot, because Google checkout is getting more popular, paypal and ebay will surely be EV certified, and within a few years from now many online merchants will be providing paypal and Google checkout options. Some small business prefer not to use third party 'shopping cart' services. This increases their overhead, and once again funnels money from the little guy into the pockets of corporations. Many small business owners are loathe to relinquish any control over their business. Also, some people find writing and maintaining their own (or FOSS) shopping cart to be just plain fun! Not to mention educational. So, the solution for small business is to either PAY Entrust, or PAY Google et al? Not a solution, afaic. It's a scam. I can't believe this doesn't violate anti-trust laws or racketeering laws. It's hostile to small businesses and completely excludes sole proprietorships, general partnerships and individuals, as they aren't even eligible for the green bar 'status.' This causes far larger problems than it solves. This only marginally protects the stupid (who fall for phishing scams) and deals out serious punishment to the honest business owner. I expect we will see many small web-based business go under because of this. Another anti-entrepreneur blow from the capitalist elite. To summarize: This punishes honest businesses for criminal activity they don't condone or participate in. This doesn't punish phishers. This doesn't protect consumers. In the long run we will see that this has done nothing to solve the problem. This stinks of greed, plain and simple. Another way to look at this is 'Presumed guilty until innocence is bought.'
Despite what the abstract says, this "research" doesn't really have a sample size of 27 subjects. It's 3 tests of 9 subjects each. That's not much of a sample size. If you look at Figure 4 you'll see that the potential variance on these results is considerably more than the differences we're supposed to be noticing. For example, the Control group on the "Real, confusing" test, the chart indicates that the actual result is 95% likely to be somewhere between 5% and 75%. Thanks guys. That's helpful. In other words, you can't conclude anything based on this number of data points.