Study Finds IE7 + EV SSL Won't Stop Phishing

An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."

This really isn't an IE problem

[blowdart]

It's a user education problem, and it's probably too late. SSL has long been missold to end users as an indication of security and trust; it may well secure some communications but the trust aspect is bogus. The newer certificates attempt to add a more measurable trust metric, but without user education it will be useless. Warnings on screen simply get ignored. The study could have equally been done with Opera (which supports the new eval certificates. In addition they also used Firefox on the Mac to indicate a homograph attack.

Re:This really isn't an IE problem

[blowdart]

I did, and wow, I even read the PDF. Aas I said it's probably too late now; the padlock is too engrained in user's minds as a way to indicate a site is trusthworthy and real.

If you read the paper the actual "worse when trained" only referred to sites where the phising toolbar notification was not displayed and not really as a function of EVA;

The participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear.

and really, reading a help file is hardly training :)

Re:This really isn't an IE problem

[TheRaven64]

Except that most users still havent understood the structure of hostnames The real problem is that hostnames are written back to front. JANET in the UK used to write hostnames in the correct order, so this story would have been on org.slashdot.it. At each stage, you have progressive refinement. Writing hostnames the opposite way to filesystem paths (including those written after the hostname) makes no sense, and is just bad UI design. It's probably too late to switch now, but it would be much easier for a user to spot that com.phisher.com.paypal/long_path was not the same as com.paypal/long_path than it is to spot that paypal.com.phisher.com/long_path is not the same as paypal.com/long_path. Once you have spent a long time looking at URIs, it is very easy to regard .com (or .org, or co.uk) as the separator between the hostname and the path.

User Education

[kevin_conaway]

Any problem that relies solely on user education/training is doomed to failure because most users don't care or don't want to be trained. They just want it to work

No shit. Really?

[xxxJonBoyxxx]

EV certificates don't improve users' ability to detect attacks

No shit. Really?

These "EV certificates" are a joke. If you've been in the industry 5 years or more, you know that the pitch surrounding these certs is 100% identical to the pitch used to sell regular, commercial-CA-signed certs 5 years ago.

Users are right to be confused. When connecting to "consumer" applications from home they might see the IE green bar, but then they go to work and get used to seeing the IE red bar to connect to all their partners' "B2B" websites all day. (Lots, if not most companies seem to use self-signed certs or give out IP addresses to connect to rather than hostnames that match with a valid CA-signed cert for business-to-business web applications.)

Nothing is secure!

[140Mandak262Jamuna]

I recently got an account in Fidelity, one of the largest mutual funds with assets in billons of dollars. It has 6 to 10 digit numerical password. No special characters, no alphabets. Very simple authentication system. They should know that they will attract phishers and scammers like honey draws the bees. But still the top level decision makers still think like, "my customer is 65 years old and is not tech savvy. They will get confused, make it easy and simple for them". They are making it easy and simple for the phishers and scammers too. Schwab too has a simple username-password. Vanguard is a little better. It monitors the IP address of past logins and puts you through tougher login session first time you log in from a new location. Also it tries to login using two screens and displays a user selected personalization picture and caption to authenticate the server. My bank is horrible with just a four digit numerical password (for the quicken on line access atleast). Fidelity also uses Social Security number as a login id by default. Was not impressed by the login authentication methods of Alex Brown, National Discount Broker, Ameritrade and MFS in the past. Someday they are going to lose millions of dollars and then they will swing in the completely opposite direction and make use climb Mount Everest just to log in.

*sigh*

[hobo+sapiens]

Of course they're inneffective. Phishing is not an IE problem or a "security" problem. It's a trust problem. If someone was going door to door claiming to be a representative of a bank and asking for account numbers, most people would turn him away and call the cops. Why do we then trust a link in some unsolicited eMail with the same information? Geez.

What's unfortunate here is that since Microsoft, via IE7, made the attempt to protect users from phishing, now they have some degree of responsibility to fix what they never can. Don't claim that you will fix something if you cannot.