An article posted on the PC World Web site this week pointed to the explosion in phishing sites last year, and examined the potential phishing threat now and in the future.
According to the article:
“In November 2006, the last month for which data is available, the Anti-Phishing Working Group found 37,439 new sites, up an astounding 709 percent from the 4630 sites in November of 2005.”
We’ve seen lots of news regarding the launch of extended validation certificates from the SSL certificate authorities, and the Web hosting businesses that sell their products.
Extended validation certificates, for the behind-the-SSL-times out there, are the result of a standard for improved validation developed collaboratively by certificate authorities in a group called the CA/Browser Forum.
According to VeriSign (one of the companies involved in developing the standard):
“To issue an SSL Certificate that complies with the standard, a CA must adopt the extended certificate validation practice and pass a Webtrust audit. The validation process requires the CA to authenticate the certificate applicant’s domain ownership and organizational identity, as well as the individual approver’s employment with the applicant, and authority to obtain the Extended Validation SSL Certificate.”
At the beginning of this year, Web browsers including Internet Explorer 7 and Opera began offering support for the new standard, highlighting the address bars of validated sites in green.
Of course more validation is a good idea. And of course added validation will make certain specific phishing attacks ineffective and phisihing in general more difficult to pull off.
But how effective will EV certificates be in general?
A report cited in a ZDNet article, also posted this week, says that studies have shown that EV certificates may be limited in their effectiveness at the moment.
According to this article:
“According to a recent usability report released by Microsoft and Stanford University, new Internet security tools such as EV SSL certificates have limited potential to defend against fraud by identifying the source of content displayed on a Web browser.”
Specifically, they rely on the user at least somewhat – to understand the certificates and their use. And without being educated on the operation of SSL certificates, a user might not be equipped to recognize an EV cert in action. And it seems to me, the kind of user that would be unaware of SSL technology is the same user that would probably be most likely to fall victim to a phishing scam in the first place.
It would also stand to reason that “extended validation” was made necessary in the first place because ordinary or standard validation was less than 100 percent effective in stopping sites from being spoofed.
Phishers are already in the business of identity theft and fraud. And underestimating their ability to commit fraud would be an obvious mistake. Whether they’ll be able to defraud certificate authorities to acquire EV certs of their own, or find some other way around the technology is the question. I wouldn’t be quick to bet against them.
I also spoke this week to Scott Cutler, executive VP at email and spam filtering firm AppRiver.
(I’ll discuss the interview further in a separate blog post)
He had a lot of interesting things to say about the cat-and-mouse game that takes place between spammers (and phishers) and the companies that work to protect users from them.
But among the most interesting impressions I took away was the awareness that anti-spam operators have of the abilities of spammers to circumvent just about any barrier we can put in their path.
While it may have once seemed that the spam problem was on its way to being “solved,” anti-spam operators these days are operating from the assumption that spammers already have their next step planned.
Spamming and phishing, while often part of the same package, are not the same thing. And a SSL certificate is, of course, a completely different style of defense from a black list. But it’s often the same people on the other side of those defenses, and their resources are remarkable.
It may be that the question is not “how effective will extended validation certificates be?” but “how long will extended validation certificates be effective?”
