RE: Interesting paper re EV certs and UIs from Close, Tyler J. on 2007-01-22 (public-wsc-wg@w3.org from January 2007)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Mon, 22 Jan 2007 16:36:41 -0600
To: <public-wsc-wg@w3.org>
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF694205@G3W0072.americas.hpqcorp.net>

Hi Phillip,

Do you think you might be fooled if the real outer browser were made
larger than your computer screen and the fake picture-of-a-browser were
made the exact dimensions of your screen, such that it looked like a
maximized window?

Tyler 

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Hallam-Baker, Phillip
Sent: Monday, January 22, 2007 12:56 PM
To: Thomas Roessler; public-wsc-wg@w3.org
Subject: RE: Interesting paper re EV certs and UIs


I would class this as an attack on the IE7 EV experience and not on the
EV certificate concept.

I sometimes manage too fool myself into thinking a screen capture is a
browser. But I don't see how I would fool myself into thinking that a
browser in a browser launched from an email was genuine.


> -----Original Message-----
> From: public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Thomas Roessler
> Sent: Monday, January 22, 2007 3:46 PM
> To: public-wsc-wg@w3.org
> Subject: Interesting paper re EV certs and UIs
> 
> 
> http://www.usablesecurity.org/papers/jackson.pdf
> 
> An Evaluation of Extended Validation and Picture-in-Picture Phishing 
> Attacks
> 
> Collin Jackson1, Daniel R. Simon2, Desney S. Tan2, and Adam Barth1
> 
> Abstract. In this usability study of phishing attacks and browser 
> antiphishing defenses, 27 users each classified 12 web sites as 
> fraudulent or legitimate. By dividing these users into three groups, 
> our controlled study measured both the effect of extended validation 
> certificates that appear only at legitimate sites and the effect of 
> reading a help file about security features in Internet Explorer 7.
> Across all groups, we found that picturein- picture attacks showing a 
> fake browser window were as effective as the best other phishing 
> technique, the homograph attack. Extended validation did not help 
> users identify either attack.
> Additionally, reading the help file made users more likely to classify

> both real and fake web sites as legitimate when the phishing warning 
> did not appear.
> 
> Cheers,
> --
> Thomas Roessler, W3C  <tlr@w3.org>
> 
>

Received on Monday, 22 January 2007 22:37:13 UTC