Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Extended Validation SSL Certificates

From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Mon, 2 Mar 2009 18:44:56 -0500
The value of EV certs for mitigation for phishing is highly debatable.
Some studies (*) show that are in-effective control simply because users do not pay attention to 
this kind of browser warnings.
We probably need more statistical data that show the effectiveness of EV in mitigating MiTM attacks and other threats. 

Regards

Marco
OWASP Chapter Lead
Writing Secure Software Blogger

(*)
Up to 300 BankDirect customers were presented with a security alert when
they visited the bank's website...invalid banking cert spooks only one user
in 300:
http://computerworld.co.nz/news.nsf/UNID/FCC8B6B48B24CDF2CC2570020018FF73?OpenDocument&pub=Computerworld

Why Phishing Works: ...The best phishing site will be able to fool 90% of
participants...
http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf

An evaluation of EV and Picture in Picture Attacks: ..EV did not help users
to identify either (picture in pic and homograph attacks.
http://www.usablesecurity.org/papers/jackson.pdf

Usability studies show that server-identification, e.g. by an image or text
displayed in the login page, can provide a modest improvement in the
detection rates of spoofed sites. We found an improvement in detection
rates, when the user was actively involved in the image selection and
display (e.g. if user must click on the image).
http://www.owasp.org/index.php/OWASP_Israel_2008_Conference_Amir_Herzberg
----- Original Message ----- From: "Odd" <iodine () runbox no> 
To: <security-basics () securityfocus com>
Sent: Monday, March 02, 2009 11:47 AM
Subject: Re: Extended Validation SSL Certificates



W W wrote:

I guess this begs the question on whether extended validation certs
are really worth their merit.  You are correct in the information you
provide to cert companies is not much more then what you would provide
for a standard cert.  Technically they are no more secure than your
standard cert so what is the point?  How many users out there really
know what the "green bar" bar really means or even care?


I don't know, but based on the general awareness of such things by
ordinary users I would guess not that many. What type of clients you
target is certainly a factor consider before purchasing one.

Odd



On Thu, Feb 26, 2009 at 7:13 PM, Odd wrote:

s0h0us wrote:

Can anyone share their experiences with the purchase of these certs?
I've heard the amount of information that needs to be supplied and
the due diligence required is a difficult and long process.

Some months ago I purchased one from Verisign for a
multinational company. It took a while to get it, but there
was no more job than for regular certs.
Odd
Previous By Date Next
Previous By Thread Next

Current thread: