Lab Notes

EV Certificates: Questionably Effective

"Extended Validation" (EV) certificates are sold by authorities like Verisign and Entrust to webmasters looking to prove their sites' security to users. By paying extra money and going through a more rigorous approval process, webmasters receive an SSL certificate that turns the Internet Explorer 7 address bar green. This, the certificate authorities claim, gives users extra assurance that they are not subject to phishing or other kinds of attacks.

Verisign's current entry level "SSL Secure Site" certificate is $399 retail, while a quick Google search turned up a competitor selling certificates for $14.95. From a web browser's perspective, the two certificates are equally trustworthy, and both will show the little lock icon in the address bar. What's more, not only are the competitor's certificates much cheaper, they're also easier to obtain. All you need to do is send a couple of emails. With Verisign (at least, the last time I bought a Verisign certificate), you need to jump through additional hoops to get your certificate. In my opinion, Verisign's certificate are indeed more secure, but it doesn't matter — so long as the lock icon appears is the address bar, that's all that counts.

So what's a certificate authority to do? Create a new, higher tier of certificates that do more than just show the lock icon and recover some of that lost revenue. Verisign's EV certificate offering is $1,499 a year. If you purchase one of these certificates, a user visiting your site will have their browser address bar turn an unpleasant shade of green (with a nice little lock icon, for nostalgia's sake).

Just one problem: a study by Stanford and Microsoft researchers indicates that EV certificates are no better than regular certificates at helping prevent phishing attacks. Additionally, users who read the IE7 help file were more likely to fall prey to phishing attempts, as they came to trust the browser UI to alert them to such attempts. A false negative (that is, a phishing site not flagged by the browser), was implicitly trusted by users in the study.