Will EV SSL Certificates Work?
Several months ago, Michael Sutton proposed the question: Will EV SSL Certificates Work? After some simple analysis, he concluded:
Who will benefit from EV SSL Certificates?
The two entities that will benefit from EV SSL certificates are CAs and criminals. CAs will make more money as they now have a more expensive product to sell. At the same time, organized and motivated criminals can now obtain a seal of approval to make their operations appear legitimate. End users on the other hand, will receive a false sense of security which will lead to further confusion about the security provided by SSL certificates. Once again, a security initiative designed to protect end users is DOA.
While criminals can certainly incorporate a company and pay a little extra money for an EV certificate, they would be hard pressed to escape the legal prosecution if they did ever break the law using that certificate.
A related question is whether EV certificates work at all to instill more trust in customers. Some initial studies showed that they wouldn't (see Study Finds IE7 + EV SSL Won't Stop Phishing) but now that EV certificates have been used for a while, there has been some positive results reported:
Overstock.com measures abandonment decrease of 8.6% with EV certs
What PayPal has to say about EV SSL
DebtHelp measures ROI of over 16,000% with EV certificates
Still, the more important question is whether they work to stem the ever rising numbers of phishing attacks. It appears that, until users actually place more trust in the "green bar", EV certificates won't be effective in preventing phishing because attackers will continue to use low assurance certificates.
Originally posted on Mon Jun 25, 2007