Do anti-phishing toolbars in web browsers stop phishing attacks? No. Can they reduce them, even for savvy users? Yes. Are they all equally effective? No.

MIT researchers found that users are highly likely to ignore anti-phishing toolbars… especially those designed to verify SSL certificates.

Min Wu, Robert Miller and Simson Garfinkel tested three types of toolbars:

  1. Neutral info: Lists website domain name, hostname, host country, etc.
  2. SSL-verifying: Displays SSL certificate logos, warning for non-SSL sites.
  3. System decision: Shows a stoplight, red = bad, yellow = ?, green = good.

The researchers installed browser toolbars without training the subjects in their proper use. Then subjects were asked to do various tasks requiring a username and password, like adding to a Wish List. The subjects incorrectly divulged usernames and passwords to the phishing sites 52% of the time.

After users were dragged through a tutorial, successful Neutral Info toolbar spoofs dropped to 28% while spoofs of those using System Decision toolbars plummeted to 15%. SSL-verification users were fooled 35% of the time.

While none of the failure rates are encouraging, the high level of SSL-verification spoofs is particularly odd. After all, this is one of the top methods endorsed by major anti-phishing groups.

The researchers reasoned:

We tried to make every toolbar accurate enough to distinguish phishing sites from legitimate sites. The System-Decision toolbar displayed a red or yellow light at the phishing sites but a green light at the good sites. The Neutral-Information toolbar showed all phishing sites as either a “new site” or hosted in a non-US country (or both), but all good sites as hosted in the US and in existence for several years. But it turned out that 9 of the 18 online stores that we chose for this study had login pages that were not protected by SSL, so the SSL-Verification toolbar produced warnings even for legitimate sites. Thus, the SSL-Verification toolbar failed to adequately distinguish fake sites from good ones.

A recent E-Soft survey backs up the MIT team’s findings concerning the scarcity of good SSL certificates. E-Soft found that, even among those who bother to implement SSL certificates, only 38.7% of the certificates encountered are valid. The rest were self-signed, signer unknown, mismatched between certificate and host, or expired.

The MITfolk conclude that toolbar makers need to make their warnings 100% accurate and more intrusive when they find a suspect site asking for sensitive information. Great insight, as far as it goes. But then they step off a cliff.

Wu, Miller and Garfinkel say that everybody should use SSL to encrypt every single page on every website. And make sure you buy SSL certificates from widely-used Certificate Authorities and keep them current. Right.

Many web servers are non-transactional. They simply dole out information, without requiring logins or any other sensitive input. Thus, few admins feel the need to incur the additional costs and headaches of maintaining SSL encryption and certificates for every website.

Here’s a rule-of-thumb that’s gaining mindshare: If you have to log in, SSL it.

Email Battles Backgrounder: