Security Basics mailing list archives
Re: Extended Validation SSL Certificates
From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Mon, 2 Mar 2009 18:44:56 -0500
The value of EV certs for mitigation for phishing is highly debatable.Some studies (*) show that are in-effective control simply because users do not pay attention to
this kind of browser warnings.We probably need more statistical data that show the effectiveness of EV in mitigating MiTM attacks and other threats.
Regards Marco OWASP Chapter Lead Writing Secure Software Blogger (*) Up to 300 BankDirect customers were presented with a security alert when they visited the bank's website...invalid banking cert spooks only one user in 300: http://computerworld.co.nz/news.nsf/UNID/FCC8B6B48B24CDF2CC2570020018FF73?OpenDocument&pub=Computerworld Why Phishing Works: ...The best phishing site will be able to fool 90% of participants... http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf An evaluation of EV and Picture in Picture Attacks: ..EV did not help users to identify either (picture in pic and homograph attacks. http://www.usablesecurity.org/papers/jackson.pdf Usability studies show that server-identification, e.g. by an image or text displayed in the login page, can provide a modest improvement in the detection rates of spoofed sites. We found an improvement in detection rates, when the user was actively involved in the image selection and display (e.g. if user must click on the image). http://www.owasp.org/index.php/OWASP_Israel_2008_Conference_Amir_Herzberg----- Original Message ----- From: "Odd" <iodine () runbox no>
To: <security-basics () securityfocus com> Sent: Monday, March 02, 2009 11:47 AM Subject: Re: Extended Validation SSL Certificates
W W wrote:I guess this begs the question on whether extended validation certs are really worth their merit. You are correct in the information you provide to cert companies is not much more then what you would provide for a standard cert. Technically they are no more secure than your standard cert so what is the point? How many users out there really know what the "green bar" bar really means or even care?I don't know, but based on the general awareness of such things by ordinary users I would guess not that many. What type of clients you target is certainly a factor consider before purchasing one. OddOn Thu, Feb 26, 2009 at 7:13 PM, Odd wrote:s0h0us wrote:Can anyone share their experiences with the purchase of these certs? I've heard the amount of information that needs to be supplied and the due diligence required is a difficult and long process.Some months ago I purchased one from Verisign for a multinational company. It took a while to get it, but there was no more job than for regular certs.Odd
Current thread:
- Re: Extended Validation SSL Certificates Odd (Mar 02)
- Re: Extended Validation SSL Certificates Marco M. Morana (Mar 03)
- <Possible follow-ups>
- Re: Extended Validation SSL Certificates krymson (Mar 03)