Study Finds IE7 + EV SSL Won't Stop Phishing

An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."

Re:

[Fordiman]

But the question is: 'What can we do as IE7 and EV's friends to help them quit their phishing habit?'

Re:

[rts008]

That's easy....
it goes something like this:

sudo apt-get.....

or

sudo yum....

Re:

[fredclown]

Thing is this really isn't even an issue with Microsoft. Microsoft did not invent High Assurance Certificates. And since they are being issued Microsoft has the obligation to support them ... same as Opera or Firefox. Really this isn't Microsoft's fault. The blame rests in user error and really clever phishers. Microsoft (and all the other browsers) job is to figure out a way to make sure that users aren't fooled ... which when it really comes down to it is next to impossible.

Re:

[Zeinfeld]

Thing is this really isn't even an issue with Microsoft. Microsoft did not invent High Assurance Certificates. And since they are being issued Microsoft has the obligation to support them ... same as Opera or Firefox. Really this isn't Microsoft's fault. The blame rests in user error and really clever phishers. Microsoft (and all the other browsers) job is to figure out a way to make sure that users aren't fooled ... which when it really comes down to it is next to impossible.

This is really not accurate a

Re:

[multisync]

for those of you who haven't noticed, Microsoft has been using numbers in their Get the Facts campaign, and empirically speaking, Windows appears to be more secure than Linux.

Wow.

So the multi-billion-dollar monopolist has finally matched the efforts of a rag-tag team of hackers who just wanted to play nethack on their pee-see.

Yaaaay, Microsoft!

Re:

[multi io]

It has fewer reported vulnerabilities, fewer unpatched vulnerabilities (zero), etc.

You're not counting all the reports published by Linux distributors against any of the thousands of programs that make up an average Linux distribution against all the reports Microsoft publishes against the core Windows OS, are you? MS Word alone has 3 or 4(?) unpatched vulnerabilities atm., iirc.

This really isn't an IE problem

[blowdart]

It's a user education problem, and it's probably too late. SSL has long been missold to end users as an indication of security and trust; it may well secure some communications but the trust aspect is bogus. The newer certificates attempt to add a more measurable trust metric, but without user education it will be useless. Warnings on screen simply get ignored. The study could have equally been done with Opera (which supports the new eval certificates. In addition they also used Firefox on the Mac to indicate a homograph attack.

Re:

[ePhil_One]

The newer certificates attempt to add a more measurable trust metric, but without user education it will be useless.

Did you even read the summary?

that training users actually decreases their ability to detect attacks

With user training they are even more worthless!

Re:This really isn't an IE problem

[blowdart]

I did, and wow, I even read the PDF. Aas I said it's probably too late now; the padlock is too engrained in user's minds as a way to indicate a site is trusthworthy and real.

If you read the paper the actual "worse when trained" only referred to sites where the phising toolbar notification was not displayed and not really as a function of EVA;

The participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear.

and really, reading a help file is hardly training :)

Re:

[Fordiman]

I don't know why there's SO much push to make phishing more visible. What's more visible than the WRONG URL? Seriously. www.paypal.realsite.com doesn't look that much like www.paypal.com, does it? Phishing is one of the most 'out in the open' attacks there is; it's pretty damned obvious to anyone who glances up at their address bar that someone's trying to pull a fast one over on 'em.

As they say, a fool and his money are soon parted. If you get scammed by a phisher, I've got not pity for you. And mayb

Re:

[Fred_A]

Seriously. www.paypal.realsite.com doesn't look that much like www.paypal.com, does it?

Except that most users still havent understood the structure of hostnames, much less of URL/URIs. So a lot of them will fall for that kind of thing whatever you put in the address bar.

Re:

[ePhil_One]

So a lot of them will fall for that kind of thing whatever you put in the address bar.

And in some cases its possible to overwrite the address bar. In others its possible to corrupt DNS caches. There are subtle mispellings that are tricky to catch, and new domain names that look legit but aren't, like www.paypalsecurity.com (PayPal pays companies like Cyveillance to monitor for such bogus registrations). And whule it hasn't happened yet to my knowledge, the real coup will be gaining control of the DNS rec

Re:

[hobo sapiens]

If on one hand you try to educate people on how hostnames work, then yes, you cannot blame then when things go wrong.

Claims the users are responsible for what happens to them amount to blaming the victim.

No, I think the gist here is that people need to be at least somewhat responsible for their personal information. For example, if I get mugged when walking around in a bad neighborhood at night while wearing my finest leather coat, then I do share some responsibility. I should know better and take reas

Re:

[Fred_A]

No, I think the gist here is that people need to be at least somewhat responsible for their personal information.

Of course on the other hand, the four colour glossies have told every user so many times that it was easy, and safe, and secure, and whatnot, that a lot of them probably believe it by now.

I sometimes think the ones who are the most to blame are the marketing and IT companies. They are the ones who systematically work at convincing gullible users that the broken products they peddle are easy

Re:This really isn't an IE problem

[TheRaven64]

Except that most users still havent understood the structure of hostnames

The real problem is that hostnames are written back to front. JANET in the UK used to write hostnames in the correct order, so this story would have been on org.slashdot.it. At each stage, you have progressive refinement. Writing hostnames the opposite way to filesystem paths (including those written after the hostname) makes no sense, and is just bad UI design. It's probably too late to switch now, but it would be much easier for a user to spot that com.phisher.com.paypal/long_path was not the same as com.paypal/long_path than it is to spot that paypal.com.phisher.com/long_path is not the same as paypal.com/long_path. Once you have spent a long time looking at URIs, it is very easy to regard .com (or .org, or co.uk) as the separator between the hostname and the path.

Re:

[Aqualung812]

So why did the other way win? http://smallest.larger.largest/largest/smaller/sma llest [smallest.larger.largest] is really screwed up.

Re:

[Master of Transhuman]

Why? Why, you ask?

Ask why every geek doesn't have ANY common sense.

Everything is a "technical problem" to a geek - and the only thing that matters is a "technical solution" - not whether the "solution" is actually worth a shit to anybody else being forced to use it.

Just "solve it" and move on to the next "interesting technical problem."

This - along with human nature - is why the greatest philosopher of the 20th Century, Woody Allen, once summed up the human condition - which applies doubly to the IT industr

How do you initiate a Picture in Picture attack?

[Zeinfeld]

The paper discusses a picture in picture attack. I don't see how such an attack fits into any of the phishing attack vectors currently seen.

Let us imagine that we have an email message that takes us to a phishing site. But instead of taking us to a Web page we get a web page within the Web page. Is the user likely to notice? I suspect so.

The experiments don't test that scenario, instead they test the scenario where the user has a browser open with a PIP browser already there. This is a rather easier lay

Re:

[nobaloney]

With user training they are even more worthless!

The real problem is that users look at the lock or the green bar only when reminded to do so. Phishing sites don't remind them, and most of them use no cert at all.

This will NOT protect anyone, and will cost folk a fortune. We've always used certs in the $35-$40 range; I guess now we'll be using certs costing ten times that much :( .

With no real benefit.

Jeff

Re:

[gandreas]

One big component of the problem is a fundamental design issue in windows - namely the whole "nested windows" concept. If you look at Fig 2 in the original article ("Picture-in-picture attack"), they show what looks like a browser window, but it is just a picture inside another window. Since users are use to seeing windows inside another, they won't notice that this second thing isn't actually a window. For a Mac user, it would definitely look suspicious (at the very least, two "highlighted as frontmost"

Re:

[DrPies]

On the other hand, the "homograph" attack (Fig 5) where the attacker spawns a window with all the adorners hidden and provides their own copies of the URL field, etc... is already addressed in Safari which uses the window title bar itself to display the "lock icon". If the indicator is in a part of the "chrome" where the content can never be, it's much harder to spoof... (it's surprising that the article doesn't suggest such an approach as a solution to this).

Isn't a homograph attack where the URL is visually similar to the legitimate site (such as www.paypa1.com instead of www.paypal.com). In this case, the problem is not the fact that the "lock icon" or any of the other extended validation is part of the "chrome", but that the font used to render the URL can also be used to render visually similar URLs. As far as I am aware, with IE7, an address bar (and the SSL information) is always shown on popup windows negating the attack you described.

Re:

[gandreas]

That'll teach me to finish my coffee before posting - part of my brain was saying that the text didn't match what I was focusing on in the image I was looking at. I guess all the more proof of how easy it is to get distracted and not notice important things like that!

#5 of the "Six Dumbest Ideas in Computer Security"

[EXTomar]

http://www.ranum.com/security/computer_security/e d itorials/dumb/ [ranum.com]

So called "User Education" is a silly idea. Simply put as the editorial highlights, if it was going to work, it would have worked by now. On the other hand this seems like an issue with IE itself where IE should never be asking "Is this okay?" in the first place.

On the one hand, users shouldn't be doing this and falling prey to phishing. On the other hand, why is IE enabling it to happen? Throwing up another "Do you want to do this? Yes/No

Re:

[a.d.trick]

Really? Most the users I know don't have a clue as to what HTTPS is.

Protect your information

[jmagar.com]

The best thing you can do is never give out your information. Protect it like you're a secret agent. Protect it against torturous interrogation. Protect it to point of taking that suicide pill hidden as the third button on your shirt.

Always ask yourself why they need it, and do you trust them to secure your information.

In Canada right now their are two separate [www.cbc.ca] credit card [www.cbc.ca] breaches under investigation. This isn't even a phishing thing, this is just plain old sloppy security.

I suspect that there are many other breaches that haven't been detected and or reported. So I strongly recommend that you refuse to give out personal information to these locations. Don't sign up for rewards cards, don't let them collect your address, and phone, and SSN, when you buy a t-shirt. They don't need it! And I don't trust them.

Re:

[FrostyCoolSlug]

In preparation to get them melted and make a small fortune?

Re:

[alexhs]

And we even know where [google.com] her mom's basement is located, because he inadvertently leaked a website, that whois is happy to inform us about. You can phone him too, but I see he entered a fake fax number.

Re:

[19061969]

I concur. I always give out false addresses whenever some website asks for mine.

On an unrelated note, has anyone noticed how slow Amazon are in delivering things?

Re:

[fossa]

A while back at the grocery store, I was offered the loyalty card. The cashier handed me a card and an application and said "fill this out at home and mail it in". Since I already had the card, I didn't bother mailing anything in, and the card is still working three months later. They can track my purchases, but only to an anonymous number. Of course, I pay with my credit card so they already have my name anyway ...

Re:

[scotbot]

I'll give you a bar of chocolate for your password [bbc.co.uk]?

Re:

[PitaBred]

Mine's "kookaburra". I promise. Where's that chocolate bar?

Re:

[enharmonix]

The best thing you can do is never give out your information. Protect it like you're a secret agent. Protect it against torturous interrogation. Protect it to point of taking that suicide pill hidden as the third button on your shirt.

Always ask yourself why they need it, and do you trust them to secure your information.

In Canada right now their are two separate [www.cbc.ca] credit card [www.cbc.ca] breaches under investigation. This isn't even a phishing thing, this is just plain old sloppy security.

I suspect that there are many other breaches that haven't been detected and or reported. So I strongly recommend that you refuse to give out personal information to these locations. Don't sign up for rewards cards, don't let them collect your address, and phone, and SSN, when you buy a t-shirt. They don't need it! And I don't trust them.

In that light, here are some handy tools for the justifiably paranoid:

1. TrueCrypt [truecrypt.org] - Excellent free encryption app for most platforms (even Windows)
2. 10 Minute Mail [10minutemail.com] - Free disposable email addresses
3. Private Phone [privatephone.com] - Free disposable phone numbers
4. MBNA Virtual Cards [washingtonpost.com]* - Virtual credit cards for online purchases that won't ruin your credit if stolen

Of course, if you're too paranoid to use option 4, just keep all your cash in your mattress and buy prepaid credit cards when you want to shop online.

what and who.

[leuk_he]

You are confusing 2 things, but you will not be alone. SSL / certificates only protect WHO is certified, not what that party is doing. You can get a certificate for a company "click ok button" and get certified for this. All the user can do i maybe retrieve your real identity. Paypal (of course) has a good certificate. That does not mean paypal is good, or cares about your money. It only says Paypal is Paypal, not what is paypal is doing with your money or even in what country.

But your advice is correct: do

User Education

[kevin_conaway]

Any problem that relies solely on user education/training is doomed to failure because most users don't care or don't want to be trained. They just want it to work

Re:

[Canordis]

Any problem that relies solely on driver education/training is doomed to failure, because most drivers don't care or don't want to be trained. They just want it to run.

Re:Microsoft final Monopoly

[what about]

I am sure Microsoft would be happy of your proposal

Basically what you say is to give Bill Gates the key of the entire Internet (since the web is the internet now)

Let's Stop and Think Moment

[Prysorra]

"training users actually decreases their ability to detect attacks".

Or you're teaching skills are worth absolute *shit*

Re:

[Iphtashu Fitz]

Or you're teaching skills are worth absolute *shit*

Did you bother to RTFA? The teaching skills aren't the problem. The training the people went through was basically reading the on-line docs that come with IE7 since that's all the training the vast majority of users will ever have access to. It's the poorly written on-line help that is the problem. The on-line docs apparently say something to the effect of "this is what a phishing site will look like", so that's what the users expect to see when they vi

Re:

[steveo777]

I think it's more like the headline should be, "Stupid People Still Stupid".

Just look up the definition of stupid. "Lacking ordinary quickness or keenness of mind". Meaning they either don't know how to learn the skills or simply don't care and ignore their teacher. You meet a lot of these people. Getting angry at the teacher might be justifiable, but as long as the information is presented, and the student wants to learn, there will likely be some skills picked up.

Don't buy them

[richman555]

I've refused to buy these new certificates as it is unclear as to what you are purchasing. I'm not sure why this costs more than the regular $995 certificates that Verisign already offers. It seems that the customer has to pay for Verisign more money to do a better job (of doing what they are already supposed to be doing). You should be verifying companies adequately who purchase your $995 certificates.

No shit. Really?

[xxxJonBoyxxx]

EV certificates don't improve users' ability to detect attacks

No shit. Really?

These "EV certificates" are a joke. If you've been in the industry 5 years or more, you know that the pitch surrounding these certs is 100% identical to the pitch used to sell regular, commercial-CA-signed certs 5 years ago.

Users are right to be confused. When connecting to "consumer" applications from home they might see the IE green bar, but then they go to work and get used to seeing the IE red bar to connect to all their partners' "B2B" websites all day. (Lots, if not most companies seem to use self-signed certs or give out IP addresses to connect to rather than hostnames that match with a valid CA-signed cert for business-to-business web applications.)

Re:

[lukas84]

I don't agree completely with you.

Most B2B shops i know here in switzerland use a cert signed by a well-known CA.

However, most internal IT like webmail (Outlook Web Access or Lotus), etc. uses internals CAs, which are only recognized on managed machines (Active Directory, Novell, whatever).

You mean to tell me

[lenart]

people actually turn this 'feature' ON?

Re:

[AlHark]

By default it is turned on, however it slows down page loads tremendously. As soon as I load IE the first time on a Vista Machine off goes the phishing filter. I don't recommend home users that are clueless to turn it off (they need all the help they can get). But for savvy Internet users that insist on using IE7 then my best recommendation to is turn it off. I guess it is a love it or hate it kind of thing. The only good thing really about the phishing filter is the fact that Microsoft (finally) is attemt

Nothing is secure!

[140Mandak262Jamuna]

I recently got an account in Fidelity, one of the largest mutual funds with assets in billons of dollars. It has 6 to 10 digit numerical password. No special characters, no alphabets. Very simple authentication system. They should know that they will attract phishers and scammers like honey draws the bees. But still the top level decision makers still think like, "my customer is 65 years old and is not tech savvy. They will get confused, make it easy and simple for them". They are making it easy and simple for the phishers and scammers too. Schwab too has a simple username-password. Vanguard is a little better. It monitors the IP address of past logins and puts you through tougher login session first time you log in from a new location. Also it tries to login using two screens and displays a user selected personalization picture and caption to authenticate the server. My bank is horrible with just a four digit numerical password (for the quicken on line access atleast). Fidelity also uses Social Security number as a login id by default. Was not impressed by the login authentication methods of Alex Brown, National Discount Broker, Ameritrade and MFS in the past. Someday they are going to lose millions of dollars and then they will swing in the completely opposite direction and make use climb Mount Everest just to log in.

Re:

[caffeinemessiah]

Is your bank Sovereign Bank in the states, by any chance? Their online authentication system was Social Security / 4-digit pin (same as your ATM pin). I got so sick of it that I changed to Chase.

Re:

[Qzukk]

Someday they are going to lose millions of dollars

They? They? I think you'll find that the reason all of this is insecure is that the companies have worked hard and long to protect themselves against their own stupidity. Just try suing a bank for giving out a loan in your name to an impersonator and ruining your credit record. Hell, try suing the credit bureaus for telling the bank that some criminal was you, or for continuing to damage your reputation by leaving these things on your record for years af

Re:

[mpapet]

There is a standard not surprisingly formulated by VISA/MC/Europay callled EMV. It's not perfect, but it's very good. You'll notice not one peep out of financial institutions about switching to EMV while the rest of the world makes the transition albeit slowly.

One of the problems with it from the American Fascist perspective is it implements some security features that would change the way they collect data about idividual banking activities. Spying on your citizens on a national scale is tricky IT busin

Re:

[hackstraw]

It has 6 to 10 digit numerical password. No special characters, no alphabets. Very simple authentication system. They should know that they will attract phishers and scammers like honey draws the bees.

Phishers and scammers are not detered by "strong" passwords.

Asking for and receiving a password via phishing or scamming is just as easy for a password that is one character between and a million characters. Even with special characters, upper lower case, whatever.

Re:

[140Mandak262Jamuna]

Why treat all the customers the same way? Right at the time of setting up the account ask the user:

1. I am worried about security. Please make me jump through hoops before logging in. I am tech savvy. Tough authenticaion? Bring it on.

2. I am not a very tech savvy customer. Please make it easy to log in.

Why look at it purely from Fidelity's point of view? What about the customer whose account gets compromised and has to jump through the hoops to get the account and money restored? I suspect you do not m

One-sided study

[tsa]

It's a pity that, although other browsers are mentioned in the article, they were not used in the experiments so there is no way of comparing them to IE7, and thus we can not use this article to bash IE7. At least, not if you want to use facts.

Re:

[et764]

...and thus we can not use this article to bash IE7. At least, not if you want to use facts.

You must be new here...

*sigh*

[hobo sapiens]

Of course they're inneffective. Phishing is not an IE problem or a "security" problem. It's a trust problem. If someone was going door to door claiming to be a representative of a bank and asking for account numbers, most people would turn him away and call the cops. Why do we then trust a link in some unsolicited eMail with the same information? Geez.

What's unfortunate here is that since Microsoft, via IE7, made the attempt to protect users from phishing, now they have some degree of responsibility to fix what they never can. Don't claim that you will fix something if you cannot.

Re:

[fleischdot]

It's not a usuable behaviour of bank representatives to request someones pin, so you would refuse to answer if someone asks for it. On websites, and even in their email folders, most people are really confused about questions and very unsure how to act. They don't have some 'common behavior' in mind because something like the netiquette is ancient and ignored by privates as well as by companies.

So, if many of you argue this problem as an educational one, you're only partly right. It's also a problem of abse

Re:

[hobo sapiens]

makes it really difficult for end-users to decide how to rank a message.

Nah. On the web, your default setting should be distrust, especially with unsolicited communication.

Re:

[sloth jr]

makes it really difficult for end-users to decide how to rank a message.

Nah. On the web, your default setting should be distrust, especially with unsolicited communication.

Which is in direct variance with the marketing spiel surrounding the PC industry. So easy! So fun! Get online and get hip! Safer! More secure! Trust us!

Re:

[StartCom]

Except the StartCom CA! http://www.startssl.com/ [startssl.com] ( http://cert.startcom.org/ [startcom.org] )

Re:

[StartCom]

There is higher validation! Just check it out! Except that, low assurances was not the invention of StartCom, but they were the first to provide it without charge! Today in some browsers even trusted by default!
Should you need higher assurance, check out StartCom's Class 2 certificates or the Web-of-Trust [startssl.org] where a notary must be Class 2 validated to start with...And certainly no extortion there...

SSL or EV?

[charter77]

The study didn't actually evaluate the effectiveness of EV Certificates. It evaluated the effectiveness of the mechanism used by Internet Explorer 7 to display the information contained inside SSL certificates. Big difference.

PayTrust handles it right... image gallery

[ClioCJS]

PayTrust.com is my billpay service (they physically receive bills, scan them in, pay them by rules, and send an email to you and your wife, as well as a CD at the end of the year with all your data on it -- password proteced, with a java-based search engine.)

They recently implemented an excellent anti-phishing measure: An image and a phrase.

They had a gallery of 100+ images. I chose a specific one -- an image of mars. They also gave you a phrase. I chose "ALL HAIL XENU!!".

Now, it asks for username

Oh, man, it doesn't get better than this!

[Master of Transhuman]

"...training users actually decreases their ability to detect attacks."

Now you can't even TRAIN users to use Windows securely!

Oh, this is too much! I'm crapping on myself laughing!

Somebody put Microsoft out of business NOW! Please!

Protection Racket

[CiderJack]

This is a thinly veiled protection racket. You're a sole proprietorship, general partnership or individual? You will be labeled as a possible phishing site, and lose potential customers. You are a small (or large) business? Pay up the $1300.00 per year, or you will be labeled a possible criminal and lose business too. These certificates offer the business nothing of value. Pure racketeering, and potentially slanderous in nature. This does little to actively protect the consumer, and once this gets hacked

9 test subjects is not nearly enough

[marwaanr]

Despite what the abstract says, this "research" doesn't really have a sample size of 27 subjects. It's 3 tests of 9 subjects each. That's not much of a sample size. If you look at Figure 4 you'll see that the potential variance on these results is considerably more than the differences we're supposed to be noticing. For example, the Control group on the "Real, confusing" test, the chart indicates that the actual result is 95% likely to be somewhere between 5% and 75%. Thanks guys. That's helpful. In o