Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions

Bad evidence #2

Created: 12 Mar 2008 • Updated: 18 Dec 2012
Tim Callan's picture
0 0 Votes
Login to vote

This one is just plain imaginary. Seriously. Imaginary.

I've seen it trotted out to make the case that EV SSL doesn't work, as in this example where the author seeks to defend Safari against PayPal's recommendation to its users not to use this browser.

The "source" is a research paper published in April 2007. The paper is quite real, and it studies users' understanding of interface conventions in Internet Explorer 6. Just by reading the paper's abstract you can see that the paper draws no conclusion about the EV interface conventions in IE7. It does indict other security indicators, however.

We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 92% participants who used their own accounts entered their passwords.

Reading the text of the paper itself, it's unambiguous that these tests were conducted using IE6 and did not include IE7's green bars or red bars at all.

So why do we see this paper used as evidence that the IE7 interface conventions don't work?