Next-gen SSL certificates limited in phishing fight

Recent study concludes that users do not take note of extended validation SSL certificates which verify identities of legitimate Web sites.
Written by Aaron Tan, Contributor

Extended validation certificates do not provide a significant advantage in identifying phishing attacks--at least, not for now, a study found.

According to a recent usability report released by Microsoft and Stanford University, new Internet security tools such as EV SSL (extended validation secure socket layer) certificates have limited potential to defend against fraud by identifying the source of content displayed on a Web browser.

Drafted in October 2006, EV SSL certificates are next-generation SSL certificates that provide a visible way for organizations to show their Web site is an authenticated business. The security tool is aimed at reassuring consumers that they are viewing and transacting with the legitimate Web site rather than a "phished" imitation. Unlike the previous SSL certification process, with EV SSL, applicant companies are now required to provide physical documents to verify their business identities.

Microsoft's Internet Explorer 7 (IE 7) is the first Web browser to support EV SSL certificates. The address bar in IE 7 will turn green to verify that the Web site and its owner's identity have been certified by security validation specialists such as Cybertrust. The address bar will not turn green if the Web site does not have an EV SSL certificate, indicating to online users that they should proceed with caution before conducting online transactions on the site.

However, the study determined that participants who did not receive any training in using browser security features did not notice the extended validation indicator.

In addition, participants who were asked to read the Internet Explorer Help file were more likely to perceive both genuine and fake sites to be legitimate whenever the phishing warning did not appear.

While there is no significant effect on user behavior, for now, the study concluded that extended validation SSL could become more effective over time as more financial Web sites adopt the Internet security tool and public awareness grows.

However, even if extended validation becomes widespread, online criminals are expected to try to mimic the trust indicator, just as they have copied other legitimate financial Web sites in the past, according to the authors of the study. "Like its predecessor, the lock icon, extended validation is vulnerable to user interface spoofing attacks."

Andrew Walls, principal security consultant at Cybertrust, noted that "people do not check the security of the sites they're [visiting]."


"Very few people actually click on the padlock icon to look at the actual certificate," Walls said in a phone interview with ZDNet Asia. "But we're hoping that by moving the notification up to the address bar, the certificate will be more apparent to users."

"But we don't expect EV SSL to suddenly take over the market--it's going to be a very gradual process," he said. "What has to happen [first] is for the customer population to understand what this means, and why they should care about whether the address bar is green or white in terms of security."

According to Walls, Overstock.com, an e-commerce Web site based in the United States, is the only company worldwide that has purchased an EV SSL certificate. "At this point, EV SSL certificates are so new that no one has bought them."

The guidelines for EV SSL certificates are defined by the Certification Authority Browser Forum (CA/B Forum), a voluntary organization comprising of leading certification authorities and vendors that provide Internet browser software and other applications. Members of the forum, which include The Mozilla Foundation, Verisign and Wells Fargo Bank, have worked closely in defining the guidelines and means of implementation for the EV SSL certificate standard.

According to the CA/B Forum's Web site, "many browser suppliers" are planning to offer support for EV SSL certificates this year.

Editorial standards