We received an interesting comment in reply to the blog post http://www.eset.com/threat-center/blog/2009/10/13/phishing-the-fbi-and-terror. Joseph A'Deo, who apparently works for Verisign, mentioned the use of extended validation SSL (EV SSL).

I am sure that some of you are familiar with EV SSL. Some of you have seen the results of it and perhaps not noticed. Some of you probably are completely unaware of EV SSL.

Let’s start with SSL. In a nutshell, it is what is used to make an https web site. This means that the data between your computer and the web site you are visiting is encrypted. This does not mean the other web site is safe. When you visit a web site that starts with https your browser shows a padlock. Some people think this means it is secure, but it really only means that the data, such as your user name and password, will be encrypted. It is pretty easy for someone to get an SSL certificate so that they can use https on their website.

EV SSL means that the organization, such as Verisign, has done a more thorough background check on the person or company that they are issuing the certificate to. This is a good thing. When I worked at Microsoft, Verisign gave someone a couple of Microsoft digital certificates and the people didn’t even work for Microsoft!!!

When a web site used EV SSL the browser will look a little different to let you know it is an EV SSL site. One problem is that different browsers display EV SSL differently and none of them tell you why it might look different. Another problem is that it is unclear if any significant percentage of the population even notices the difference and if they do notice they probably don’t know what it means.

EV SSL is at best a pretty anemic approach to security. It is better than nothing, but I suspect it is predominantly ineffective.

To prevent phishing attacks EV SSL is no match for conscious computing. Don’t ever click on a link in an email from a bank, PayPal, eBay, or any other place that you are going to enter your user name, a password, a PIN, or other important information.

Randy Abrams
Director of Technical Education