Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Finds IE7 + EV SSL Won't Stop Phishing

Posted by kdawson on from the pretty-green-phishies dept.

An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."

4 of 84 comments (clear)

  1. This really isn't an IE problem by blowdart · · Score: 4, Insightful

    It's a user education problem, and it's probably too late. SSL has long been missold to end users as an indication of security and trust; it may well secure some communications but the trust aspect is bogus. The newer certificates attempt to add a more measurable trust metric, but without user education it will be useless. Warnings on screen simply get ignored. The study could have equally been done with Opera (which supports the new eval certificates. In addition they also used Firefox on the Mac to indicate a homograph attack.

    1. Re:This really isn't an IE problem by ePhil_One · · Score: 2, Insightful
      So a lot of them will fall for that kind of thing whatever you put in the address bar.

      And in some cases its possible to overwrite the address bar. In others its possible to corrupt DNS caches. There are subtle mispellings that are tricky to catch, and new domain names that look legit but aren't, like www.paypalsecurity.com (PayPal pays companies like Cyveillance to monitor for such bogus registrations). And whule it hasn't happened yet to my knowledge, the real coup will be gaining control of the DNS records themselves and adding an unused host ident.payapl.com that won't be noticed.

      Claims the users are responsible for what happens to them amount to blaming the victim. She should have known not to walk the public streets at night. He should have read the documents in the basement of City Hall explaining that Pianos were going to be falling on 5th street today.

      --
      You are in a maze of twisted little posts, all alike.
    2. Re:This really isn't an IE problem by TheRaven64 · · Score: 5, Insightful

      Except that most users still havent understood the structure of hostnames The real problem is that hostnames are written back to front. JANET in the UK used to write hostnames in the correct order, so this story would have been on org.slashdot.it. At each stage, you have progressive refinement. Writing hostnames the opposite way to filesystem paths (including those written after the hostname) makes no sense, and is just bad UI design. It's probably too late to switch now, but it would be much easier for a user to spot that com.phisher.com.paypal/long_path was not the same as com.paypal/long_path than it is to spot that paypal.com.phisher.com/long_path is not the same as paypal.com/long_path. Once you have spent a long time looking at URIs, it is very easy to regard .com (or .org, or co.uk) as the separator between the hostname and the path.
      --
      I am TheRaven on Soylent News
  2. User Education by kevin_conaway · · Score: 4, Insightful

    Any problem that relies solely on user education/training is doomed to failure because most users don't care or don't want to be trained. They just want it to work