The catalog gives its visitors the added sense of security by turning the address bar in my Firefox browser yellow, and adding a padlock to the address bar. When I float my mouse over the padlock, I get the "Authenticated by Equifax" popup.
When I click on it, it says:
SSL Server Certificate
Common Name *.sslpowered.com
Serial Number: 08:90:D2
Equifax Secure Certificate Authority
Issued On: 1/11/1008
Expires On: 2/10/2010
Unfortunately, someone put a Meadows Credit Union phish in a subdirectory of the catalog.
Visitors to that phishing site will see the same "warm fuzzy" yellow bar, and the same "Authenticated by Equifax" message.
Which brings me to the point of this article. We are all talking about Extended Validation Certificates, which will turn your address bar green, "proving" that the site is legitimate. What proof do we have that someone hasn't hacked the legitimate site and used it for an illegitimate purpose. That's what we see here with a "pre-" EV Certificate. German Import House is a legitimate site, and paid for an Equifax Certificate to prove so. However, the visitor to the Meadows Credit Union phishing site is ALSO going to see the Certificate behavior. But what does that prove?
How much danger are we in when we train our users that a colored address bar means they are safe - and then phishers hack those sites to host phishing content? The user sees a colored bar and a padlock -- one that really has a corresponding certificate on file -- and decides that its a safe site. Are EV Certs the answer? or just another way to train users that they don't have to think?