Response to PayPal on EV Certificates

Over on the PayPal blog Michael Barrett (their chief security officer) mentions a paper he and Dan Levy wrote extolling the virtues of Extended Validation certificates.

I’ve left a comment there (yet to escape from moderation) questioning the merits of EV and I thought I’d reproduce it here, especially in light of the recent cross-site scripting attack against PayPal through a page protected by such a certificate.

I am unconvinced by EV certificates, I believe they will just lull people into a false sense of security through misunderstanding what they mean.

As Jackson, Simon, Tan, Barth of Stanford and Microsoft have already found when looking at homographic and picture-in-picture attacks:

  • Extended validation did not help users defend against either attack.
  • Extended validation did not help untrained users classify a legitimate site.
  • Training caused more real and fraudulent sites to be classified as legitimate.

So they may actually do more harm than good, turning your “safe” browser into an unsafe one..

You can find their paper here:

Bold and italic emphasis are mine.