Study Finds IE7 + EV SSL Won't Stop Phishing

An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."

No shit. Really?

[xxxJonBoyxxx]

EV certificates don't improve users' ability to detect attacks

No shit. Really?

These "EV certificates" are a joke. If you've been in the industry 5 years or more, you know that the pitch surrounding these certs is 100% identical to the pitch used to sell regular, commercial-CA-signed certs 5 years ago.

Users are right to be confused. When connecting to "consumer" applications from home they might see the IE green bar, but then they go to work and get used to seeing the IE red bar to connect to all their partners' "B2B" websites all day. (Lots, if not most companies seem to use self-signed certs or give out IP addresses to connect to rather than hostnames that match with a valid CA-signed cert for business-to-business web applications.)