- From: Mike Beltzner <beltzner@mozilla.com>
- Date: Tue Jan 23 16:51:38 2007
- To: "George Staikos" <staikos@kde.org>, "W3 Work Group" <public-wsc-wg@w3.org>
It is as I have long said. The purpose of EV and the CAB forum should be to provide a mechanism through which metadata about a websites identity can be provided and reasonably /accountably ensured. It should not be to proscribe how browser vendors should best display or communicate that information: that task is up to the browser vendors, and this group can make solid recommendations based on user research and security metaphors. To their credit, they have not done so; the "green bar" UI merely propogated through the IE7 team showing screenshots, and everyone latching on to the concept. (As an aside though, CAs advertising the "green bar" as a signal of security merely encourages that signal to be spoofed through this sort of attack. I think in the large that UI treatment might make things better, but only slightly so.) cheers, mike -----Original Message----- From: George Staikos <staikos@kde.org> Date: Tue, 23 Jan 2007 11:24:17 To:W3 Work Group <public-wsc-wg@w3.org> Subject: Re: Interesting paper re EV certs and UIs I don't see this as an attack against EV period. It's the same old attack, and we know it works against any UI indicator period. Only a customizable UI can even possibly circumvent this unless the user truly investigates the nature of that window relative to the windows around it. On 22-Jan-07, at 3:56 PM, Hallam-Baker, Phillip wrote: > > I would class this as an attack on the IE7 EV experience and not on > the EV certificate concept. > > I sometimes manage too fool myself into thinking a screen capture > is a browser. But I don't see how I would fool myself into thinking > that a browser in a browser launched from an email was genuine. > > >> -----Original Message----- >> From: public-wsc-wg-request@w3.org >> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Thomas Roessler >> Sent: Monday, January 22, 2007 3:46 PM >> To: public-wsc-wg@w3.org >> Subject: Interesting paper re EV certs and UIs >> >> >> http://www.usablesecurity.org/papers/jackson.pdf >> >> An Evaluation of Extended Validation and Picture-in-Picture >> Phishing Attacks >> >> Collin Jackson1, Daniel R. Simon2, Desney S. Tan2, and Adam Barth1 >> >> Abstract. In this usability study of phishing attacks and >> browser antiphishing defenses, 27 users each classified 12 >> web sites as fraudulent or legitimate. By dividing these >> users into three groups, our controlled study measured both >> the effect of extended validation certificates that appear >> only at legitimate sites and the effect of reading a help >> file about security features in Internet Explorer 7. >> Across all groups, we found that picturein- picture attacks >> showing a fake browser window were as effective as the best >> other phishing technique, the homograph attack. Extended >> validation did not help users identify either attack. >> Additionally, reading the help file made users more likely to >> classify both real and fake web sites as legitimate when the >> phishing warning did not appear. >> >> Cheers, >> -- >> Thomas Roessler, W3C <tlr@w3.org> >> >> > -- George Staikos KDE Developer http://www.kde.org/ Staikos Computing Services Inc. http://www.staikos.net/
Received on Tuesday, 23 January 2007 16:51:38 UTC