On Tue, 7 Nov 2006, Gervase Markham wrote:
> If phishing sites continue to use no certs, and people continue to be
> fooled, then yes, EV does not help. As I've said before, it's hard to
> protect the guy who types his CC number into any form which asks for it.
Indeed -- but that particular straw-user isn't the only type that will
remain phishable after deployment of EV. There are many kinds of users:
A. Users who don't click on bank website links in e-mail (and instead
navigate by bookmark or URL)
B. Users who can distinguish the chrome from the page and look for
padlocks in the chrome, ignoring padlocks in the page
C. Users who can distinguish the chrome from the page and look for
a yellow URL bar in the chrome, ignoring URL bars in the page
D. Users who can distinguish the chrome from the page and look for
'https' in the URL bar in the chrome, ignoring URL bars in the page
E. Users who can distinguish the chrome from the page and don't notice
the 'https', the yellow bar, or the padlock in chrome now, but
would notice a green bar in the chrome
F. Users who can reliably tell whether SSL is enabled, but could be
socially engineered into ignoring it ("sorry, encryption is down
today; certificate will be updated soon; please proceed anyway")
G. Users who can't tell the difference between the chrome and the
page (and e.g. would be fooled by a picture-in-picture attack)
H. Users who type their username and password into a form whenever
the page surrounding it looks familiar
This is just off the top of my head -- the above is surely incomplete.
Anyway, my point is: none of these seven types of users can be
casually dismissed as "stupid". But it is instructive to do this
kind of breakdown and analysis, because it gives you an upper bound
on the impact of an anti-phishing measure. The only type that will
be helped by the introduction of EV is group E. How big is group E?
We don't know exactly how many users are in each group. Group A
describes many people i know -- but all those people are immune to
phishing attacks, so that clearly doesn't represent everyone.
Research shows that lots of people are in groups G and H. [1]
And i'd be willing to bet a lot more of us are in group F than might
like to admit. My guess would be, that has to do with our perception
of the level of technical security competence at these bank websites,
which is quite low, and our perception of the level of difficulty of
certificate administration, which is somewhat high.
> On the other hand, if you want to spoof PayPal and PayPal has an EV
> certificate, one might hope that the fact that there's been a green bar
> every time before, combined with Paypal's regular reminders on various
> pages to "check for the green bar", might make people pause for thought
> if the bar is not there. It's a lot more obvious than the lock, after all.
This is precisely the sort of thing that should be user-tested before
a standard recommended UI is specified. Your claim of "more obvious"
sounds plausible, but (alas) real user behaviour doesn't always
reflect what sounds plausible.
Given that Microsoft (as far as i know) is the only browser vendor so
far to implement an EV UI, have they run user studies on it? Does
Mozilla have plans to run user studies on the EV UI in Firefox?
-- ?!ng
[1] http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
