EV Certificates: Questionably Effective
"Extended Validation" (EV) certificates are sold by authorities like Verisign and Entrust to webmasters looking to prove their sites' security to users. By paying extra money and going through a more rigorous approval process, webmasters receive an SSL certificate that turns the Internet Explorer 7 address bar green. This, the certificate authorities claim, gives users extra assurance that they are not subject to phishing or other kinds of attacks.
Verisign's current entry level "SSL Secure Site" certificate is $399 retail, while a quick Google search turned up a competitor selling certificates for $14.95. From a web browser's perspective, the two certificates are equally trustworthy, and both will show the little lock icon in the address bar. What's more, not only are the competitor's certificates much cheaper, they're also easier to obtain. All you need to do is send a couple of emails. With Verisign (at least, the last time I bought a Verisign certificate), you need to jump through additional hoops to get your certificate. In my opinion, Verisign's certificate are indeed more secure, but it doesn't matter — so long as the lock icon appears is the address bar, that's all that counts.
So what's a certificate authority to do? Create a new, higher tier of certificates that do more than just show the lock icon and recover some of that lost revenue. Verisign's EV certificate offering is $1,499 a year. If you purchase one of these certificates, a user visiting your site will have their browser address bar turn an unpleasant shade of green (with a nice little lock icon, for nostalgia's sake).
Just one problem: a study by Stanford and Microsoft researchers indicates that EV certificates are no better than regular certificates at helping prevent phishing attacks. Additionally, users who read the IE7 help file were more likely to fall prey to phishing attempts, as they came to trust the browser UI to alert them to such attempts. A false negative (that is, a phishing site not flagged by the browser), was implicitly trusted by users in the study.
Recent Entries
Elektron 2.1.2376
Elektron 2.0.2118
Creating a Rogue CA Certificate
Major Privilege Escalation Bug in Mac OS X 10.4 and 10.5
Overheard at the WWDC Keynote
iPhone 2.0 to Include 802.1X
Time Capsule
New Xserves
Mac OS X 10.5.1
Elektron and Leopard
Monthly Archives
October 2009 (1)
February 2009 (1)
December 2008 (1)
June 2008 (2)
March 2008 (1)
January 2008 (2)
November 2007 (1)
October 2007 (1)
September 2007 (1)
August 2007 (1)
July 2007 (8)
June 2007 (16)
November 2005 (8)
October 2005 (13)
September 2005 (22)
August 2005 (23)
July 2005 (21)
June 2005 (26)
May 2005 (23)
April 2005 (23)
March 2005 (25)
February 2005 (23)
January 2005 (29)
December 2004 (32)
November 2004 (32)
Subscribe to Lab Notes