Study Finds IE7 + EV SSL Won't Stop Phishing

An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."

No shit. Really?

[xxxJonBoyxxx]

EV certificates don't improve users' ability to detect attacks

No shit. Really?

These "EV certificates" are a joke. If you've been in the industry 5 years or more, you know that the pitch surrounding these certs is 100% identical to the pitch used to sell regular, commercial-CA-signed certs 5 years ago.

Users are right to be confused. When connecting to "consumer" applications from home they might see the IE green bar, but then they go to work and get used to seeing the IE red bar to connect to all their partners' "B2B" websites all day. (Lots, if not most companies seem to use self-signed certs or give out IP addresses to connect to rather than hostnames that match with a valid CA-signed cert for business-to-business web applications.)

Nothing is secure!

[140Mandak262Jamuna]

I recently got an account in Fidelity, one of the largest mutual funds with assets in billons of dollars. It has 6 to 10 digit numerical password. No special characters, no alphabets. Very simple authentication system. They should know that they will attract phishers and scammers like honey draws the bees. But still the top level decision makers still think like, "my customer is 65 years old and is not tech savvy. They will get confused, make it easy and simple for them". They are making it easy and simple for the phishers and scammers too. Schwab too has a simple username-password. Vanguard is a little better. It monitors the IP address of past logins and puts you through tougher login session first time you log in from a new location. Also it tries to login using two screens and displays a user selected personalization picture and caption to authenticate the server. My bank is horrible with just a four digit numerical password (for the quicken on line access atleast). Fidelity also uses Social Security number as a login id by default. Was not impressed by the login authentication methods of Alex Brown, National Discount Broker, Ameritrade and MFS in the past. Someday they are going to lose millions of dollars and then they will swing in the completely opposite direction and make use climb Mount Everest just to log in.