Study Finds IE7 + EV SSL Won't Stop Phishing

An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."

Re:This really isn't an IE problem

[blowdart]

I did, and wow, I even read the PDF. Aas I said it's probably too late now; the padlock is too engrained in user's minds as a way to indicate a site is trusthworthy and real.

If you read the paper the actual "worse when trained" only referred to sites where the phising toolbar notification was not displayed and not really as a function of EVA;

The participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear.

and really, reading a help file is hardly training :)

*sigh*

[hobo+sapiens]

Of course they're inneffective. Phishing is not an IE problem or a "security" problem. It's a trust problem. If someone was going door to door claiming to be a representative of a bank and asking for account numbers, most people would turn him away and call the cops. Why do we then trust a link in some unsolicited eMail with the same information? Geez.

What's unfortunate here is that since Microsoft, via IE7, made the attempt to protect users from phishing, now they have some degree of responsibility to fix what they never can. Don't claim that you will fix something if you cannot.