Response to PayPal on EV Certificates

Over on the PayPal blog Michael Barrett (their chief security officer) mentions a paper he and Dan Levy wrote extolling the virtues of Extended Validation certificates.

I’ve left a comment there (yet to escape from moderation) questioning the merits of EV and I thought I’d reproduce it here, especially in light of the recent cross-site scripting attack against PayPal through a page protected by such a certificate.

I am unconvinced by EV certificates, I believe they will just lull people into a false sense of security through misunderstanding what they mean.

As Jackson, Simon, Tan, Barth of Stanford and Microsoft have already found when looking at homographic and picture-in-picture attacks:

  • Extended validation did not help users defend against either attack.
  • Extended validation did not help untrained users classify a legitimate site.
  • Training caused more real and fraudulent sites to be classi´Čüed as legitimate.

So they may actually do more harm than good, turning your “safe” browser into an unsafe one..

You can find their paper here:

Bold and italic emphasis are mine.

Leave a Reply

Your email address will not be published. Required fields are marked *