- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Mon, 22 Jan 2007 12:56:09 -0800
- To: "Thomas Roessler" <tlr@w3.org>, <public-wsc-wg@w3.org>
I would class this as an attack on the IE7 EV experience and not on the EV certificate concept. I sometimes manage too fool myself into thinking a screen capture is a browser. But I don't see how I would fool myself into thinking that a browser in a browser launched from an email was genuine. > -----Original Message----- > From: public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org] On Behalf Of Thomas Roessler > Sent: Monday, January 22, 2007 3:46 PM > To: public-wsc-wg@w3.org > Subject: Interesting paper re EV certs and UIs > > > http://www.usablesecurity.org/papers/jackson.pdf > > An Evaluation of Extended Validation and Picture-in-Picture > Phishing Attacks > > Collin Jackson1, Daniel R. Simon2, Desney S. Tan2, and Adam Barth1 > > Abstract. In this usability study of phishing attacks and > browser antiphishing defenses, 27 users each classified 12 > web sites as fraudulent or legitimate. By dividing these > users into three groups, our controlled study measured both > the effect of extended validation certificates that appear > only at legitimate sites and the effect of reading a help > file about security features in Internet Explorer 7. > Across all groups, we found that picturein- picture attacks > showing a fake browser window were as effective as the best > other phishing technique, the homograph attack. Extended > validation did not help users identify either attack. > Additionally, reading the help file made users more likely to > classify both real and fake web sites as legitimate when the > phishing warning did not appear. > > Cheers, > -- > Thomas Roessler, W3C <tlr@w3.org> > >
Received on Monday, 22 January 2007 20:58:56 UTC