Bad evidence #3
Another paper that's oft cited by those who want to discredit Extended Validation SSL was published soon after the release of EV SSL at the beginning of 2007 and is titled "An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks," authored by Stanford student Collin Jackson.
The Jackson paper is frequent link fodder, usually for bloggers who want to prove that Extended Validation SSL is not the considerable step forward in Web security that the community at large perceives it to be. Typically the link accompanies some broad statement like, "These certificates have been shown not to work." Indeed, if you read the paper's abstract, it appears to back up that claim,
Across all groups, we found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack. Extended validation did not help users identify either attack.
Before we can draw that conclusion, however, let's look at Mr. Jackson's paper a little more closely. The results reported in this paper are meaningless for the simple reason that the data set is so small that the margin for error far exceeds the results to which we're supposed to be attributing significance.