Over on the PayPal blog Michael Barrett (their chief security officer) mentions a paper he and Dan Levy wrote extolling the virtues of Extended Validation certificates.
I’ve left a comment there (yet to escape from moderation) questioning the merits of EV and I thought I’d reproduce it here, especially in light of the recent cross-site scripting attack against PayPal through a page protected by such a certificate.
I am unconvinced by EV certificates, I believe they will just lull people into a false sense of security through misunderstanding what they mean.
As Jackson, Simon, Tan, Barth of Stanford and Microsoft have already found when looking at homographic and picture-in-picture attacks:
- Extended validation did not help users defend against either attack.
- Extended validation did not help untrained users classify a legitimate site.
- Training caused more real and fraudulent sites to be classiï¬ed as legitimate.
So they may actually do more harm than good, turning your “safe” browser into an unsafe one..
You can find their paper here:
Bold and italic emphasis are mine.