Researchers from Stanford University and Microsoft Research have concluded that extended validation (or high assurance) certificates used in conjunction with Microsoft Internet Explorer (IE) 7.0 don't necessarily improve a user's ability to detect phishing attacks.
The findings were released in a white paper, "An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks," available online in PDF format. In addition, according to the summary statement, users who read a Help file about security features in IE 7.0 faired worse in detecting phishing attacks.
"Across all groups, we found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack. Extended validation did not help users identify either attack. Additionally, reading the help file made users more likely to classify both real and fake web sites as legitimate when the phishing warning did not appear," the researchers wrote.
Picture-in-picture attacks involve overlaying windows to mask content in order to spoof a legitimate Web site. Homograph attacks involve manipulating text in URLs so that the text appears to be something it's not (e.g., using two "v" characters side by side, which users might see as the letter "w").
The researchers concluded that instead of moving toward better authentication of certificate holders, as is the case with extended validation (high assurance) certificates, browser developers should create an interface that somehow resists picture-in-picture and homograph attacks.
