Re: Interesting paper re EV certs and UIs from George Staikos on 2007-01-23 (public-wsc-wg@w3.org from January 2007)

From: George Staikos <staikos@kde.org>
Date: Tue, 23 Jan 2007 11:24:17 -0500
To: W3 Work Group <public-wsc-wg@w3.org>
Message-Id: <26DBD390-EFC6-42D8-B778-281C4303E141@kde.org>

I don't see this as an attack against EV period.  It's the same old  
attack, and we know it works against any UI indicator period.  Only a  
customizable UI can even possibly circumvent this unless the user  
truly investigates the nature of that window relative to the windows  
around it.

On 22-Jan-07, at 3:56 PM, Hallam-Baker, Phillip wrote:

>
> I would class this as an attack on the IE7 EV experience and not on  
> the EV certificate concept.
>
> I sometimes manage too fool myself into thinking a screen capture  
> is a browser. But I don't see how I would fool myself into thinking  
> that a browser in a browser launched from an email was genuine.
>
>
>> -----Original Message-----
>> From: public-wsc-wg-request@w3.org
>> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Thomas Roessler
>> Sent: Monday, January 22, 2007 3:46 PM
>> To: public-wsc-wg@w3.org
>> Subject: Interesting paper re EV certs and UIs
>>
>>
>> http://www.usablesecurity.org/papers/jackson.pdf
>>
>> An Evaluation of Extended Validation and Picture-in-Picture
>> Phishing Attacks
>>
>> Collin Jackson1, Daniel R. Simon2, Desney S. Tan2, and Adam Barth1
>>
>> Abstract. In this usability study of phishing attacks and
>> browser antiphishing defenses, 27 users each classified 12
>> web sites as fraudulent or legitimate. By dividing these
>> users into three groups, our controlled study measured both
>> the effect of extended validation certificates that appear
>> only at legitimate sites and the effect of reading a help
>> file about security features in Internet Explorer 7.
>> Across all groups, we found that picturein- picture attacks
>> showing a fake browser window were as effective as the best
>> other phishing technique, the homograph attack. Extended
>> validation did not help users identify either attack.
>> Additionally, reading the help file made users more likely to
>> classify both real and fake web sites as legitimate when the
>> phishing warning did not appear.
>>
>> Cheers,
>> --
>> Thomas Roessler, W3C  <tlr@w3.org>
>>
>>
>

--
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/

Received on Tuesday, 23 January 2007 16:24:39 UTC