Wednesday, December 5, 2007

EV Certs Don't Stop Phishing

Earlier this year, Netcraft published a survey that showed more than there were more than 600,000 "secure sites" capable of hosting an SSL session on the web.

To quote Netcraft, "The first survey, in November 1996, found just 3,283 sites; since then, the number of SSL sites has had an average compound growth of 65% per annum."

As an indicator of commercial activity, I think this is a useful survey. If you accept the premise that mergers and acquisitions lead to less new certificates being issued, then the growth in e-commerce may actually be in excess of 65% annually.

Which brings me to the biggest potential failure on the SSL roadmap to date: EV Certs.

The recent launch of EV (Extended Validation) merchant certificates by Microsoft, Verisign and others has not exactly set the world on fire. By May this year - the last time data on EVs was published by Netcraft - the total number of EV certs being utilized by Internet merchants was just 700, or 0.1% of the total.

There's a good reason for this: EV certificates don't work.

They don't stop phishing, they don't communicate well to users, they do away with the SSL padlock, and the whole thing is so easily spoofed, it may as well not be there.

You don't have to take my word for it - there is a scientific study available conducted by Standford University and Microsoft Research that backs this up.

The findings of the analysis were unequivocal: users paid zero attention to the green background applied to the address bar by the EV cert:

"We presented a controlled between-subjects evaluation of the extended validation user interface in Internet Explorer 7. Unfortunately, participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group."

The results improved slightly after a reading of the IE Help File, but then the group uncovered a second problem - the EV-powered address bar can be spoofed very easily, essentially rendering any investment in education, or pushing people to read the manual, completely valueless:

"Like its predecessor, the lock icon, extended validation is vulnerable to picture-in-picture user interface spoofing attacks. We found these attacks to be as effective as homograph attacks, the best known phishing attack."

They are absolutely right on this count. As our Chief Scientist, Helmuth Freericks, has previously warned, creating a spoofed version of this attack is rather trivial.

So how can consumers get their hands on real security? Obviously, there is a real need for innovation. At Authentium, we have spent three years designing a secure Internet browsing environment that does away with the need for UI gimmicks. In other words, we've followed the advice of Stanford and Microsoft researchers:

"Designing a user interface that resists both homograph and picture-in-picture attacks should be a high priority for designers of future browsers."

That's what our guys have done. To take a look, click here, or take a look at Corey's video about VERO and VirtualATM in the right-hand column.


Tim said...


My name is Tim Callan. I work for VeriSign's SSL business and publish an SSL Blog.

I'll encourage you to look at Collin Jackson's paper a little more closely. The results reported in this paper are

meaningless for the simple reason that the data set is so small that the margin for error far exceeds the results to

which we're supposed to be attributing significance.

Each of the data sets contained only nine test subjects, far too few for the results to be trustworthy. To put it in perspective, that means a single individual changing their mind swings the results by an astounding 11%. The margin for error on these data are resultingly huge. If you look at Figure 4 you'll see what I mean. For example, when the "Trained EV Homograph" cell comes in at a reported 55%, you can see that all we really know (as shown by the little I-shaped lines) is that the results are likely to be somewhere between 27 and 81%. Somewhere between 27 and 81% is very little by way of useful information, especially when we're comparing supposed scores of 36, 49, and 55%. In essence, the only conclusion we can draw from this paper is that with so few data points we don't really know anything.

At this year's RSA conference in February, Collin Jackson and I actually discussed this matter, and he agreed with my assessment of the data's inadequacy.

However, others have researched this subject and seen radically different results. Usability Research firm Tec-Ed conducted usage studies on 384 online shoppers throughout North America and found that 97% of them are prepared to make a credit card purchase from a site with green address bars while only 63% will proceed on sites without these bars. Leading online retailer watched shopping cart abandonment decrease by 8.6% among IE7 users after EV certificates were deployed.

I cover the latest research developments pretty extensively on my blog, if you're interested in more information.

John C. Sharp said...

Hi Tim,

I agree that it is a small data set. That does cut both ways however, in that single instances of recognition could also have inflated the findings in the positive direction. But I agree with your fundamental point and will go back and take another look at the dataset.

I'm not sure quite how to parse the details that Tec-Ed has published via a vis the Johnson study, but the Overstock example presents a very interesting picture.

I think the Overstock example you provide is very interesting given the amount of data and transactions supported - an 8.6% reduction would indicate a positive ROI is supported for Overstock.

That said, the spoofing possibility does still concern me. I think the best and most cost-effective approach for merchants may be a combination of Verisign's proven certification and SSL certificate issuance process, and Authentium's hosted secure session service.