study shows "extended validation" TLS certs ineffective
Perry E. Metzger
perry at piermont.com
Fri Jan 26 15:50:43 EST 2007
Abstract. In this usability study of phishing attacks and browser
anti-phishing defenses, 27 users each classfied 12 web sites as
fraudulent or legitimate. By dividing these users into three
groups, our controlled study measured both the effect of extended
validation certicates that appear only at legitimate sites and the
effect of reading a help file about security features in Internet
Explorer 7. Across all groups, we found that picture-in-picture
attacks showing a fake browser window were as effective as the best
other phishing technique, the homograph attack. Extended validation
did not help users identify either attack. Additionally, reading
the help file made users more likely to classify both real and fake
web sites as legitimate when the phishing warning did not appear.
http://www.usablesecurity.org/papers/jackson.pdf
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list