Re: Extended Validation Certificates

Fri, 10 Nov 2006 03:25:14 -0800 

Ka-Ping Yee wrote:

A.  Users who don't click on bank website links in e-mail (and instead
    navigate by bookmark or URL)

B.  Users who can distinguish the chrome from the page and look for
    padlocks in the chrome, ignoring padlocks in the page
These people are helped because currently phishers can (should they choose) get domain-validated certs for their phishing domains pretty easily. 


C.  Users who can distinguish the chrome from the page and look for
    a yellow URL bar in the chrome, ignoring URL bars in the page


Ditto.


D.  Users who can distinguish the chrome from the page and look for
    'https' in the URL bar in the chrome, ignoring URL bars in the page


Ditto.


E.  Users who can distinguish the chrome from the page and don't notice
    the 'https', the yellow bar, or the padlock in chrome now, but
    would notice a green bar in the chrome

F.  Users who can reliably tell whether SSL is enabled, but could be
    socially engineered into ignoring it ("sorry, encryption is down
    today; certificate will be updated soon; please proceed anyway")
EV has a potential to help here; because the green bar has some backing, unlike the lock, banks and other sites can tell their users to require it. 


G.  Users who can't tell the difference between the chrome and the
    page (and e.g. would be fooled by a picture-in-picture attack)


The URL bar is now no longer disableable, which helps with this.


This is just off the top of my head -- the above is surely incomplete.
Anyway, my point is: none of these seven types of users can be
casually dismissed as "stupid". 

Straw man; I didn't.


We don't know exactly how many users are in each group.  Group A
describes many people i know -- but all those people are immune to
phishing attacks, so that clearly doesn't represent everyone.
Research shows that lots of people are in groups G and H. [1]
Quite possibly. Where did I say that EV would be the only thing we ever did about phishing? 


Given that Microsoft (as far as i know) is the only browser vendor so
far to implement an EV UI, have they run user studies on it? 

I believe so; I can ask them whether they'd share.


Does
Mozilla have plans to run user studies on the EV UI in Firefox?


No more plans than we have to run studies on other bits of the UI.

Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Reply via email to