Re: Interesting paper re EV certs and UIs

Please add this to our shared bookmark area in the wiki, with a brief 
annotation of take away lessons for us. Thanks.

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Thomas Roessler <tlr@w3.org> 
Sent by: public-wsc-wg-request@w3.org
01/22/2007 03:46 PM

To
public-wsc-wg@w3.org
cc

Subject
Interesting paper re EV certs and UIs







http://www.usablesecurity.org/papers/jackson.pdf

An Evaluation of Extended Validation and
Picture-in-Picture Phishing Attacks

Collin Jackson1, Daniel R. Simon2, Desney S. Tan2, and Adam Barth1

Abstract. In this usability study of phishing attacks and browser
antiphishing defenses, 27 users each classified 12 web sites as
fraudulent or legitimate. By dividing these users into three groups,
our controlled study measured both the effect of extended validation
certificates that appear only at legitimate sites and the effect of
reading a help file about security features in Internet Explorer 7.
Across all groups, we found that picturein- picture attacks showing
a fake browser window were as effective as the best other phishing
technique, the homograph attack. Extended validation did not help
users identify either attack. Additionally, reading the help file
made users more likely to classify both real and fake web sites as
legitimate when the phishing warning did not appear.

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Thursday, 1 February 2007 17:47:33 UTC