study shows "extended validation" TLS certs ineffective

Perry E. Metzger perry at piermont.com
Fri Jan 26 15:50:43 EST 2007


   Abstract. In this usability study of phishing attacks and browser
   anti-phishing defenses, 27 users each classfied 12 web sites as
   fraudulent or legitimate. By dividing these users into three
   groups, our controlled study measured both the effect of extended
   validation certicates that appear only at legitimate sites and the
   effect of reading a help file about security features in Internet
   Explorer 7. Across all groups, we found that picture-in-picture
   attacks showing a fake browser window were as effective as the best
   other phishing technique, the homograph attack. Extended validation
   did not help users identify either attack. Additionally, reading
   the help file made users more likely to classify both real and fake
   web sites as legitimate when the phishing warning did not appear.

http://www.usablesecurity.org/papers/jackson.pdf

-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list