This post is a quick followup on Trent Henry's "This Green Bar Will Save Your Life!" and a subsequent call with Verisign to discuss the merits of Extended Validation SSL certificates.
If you look at the Verisign EV SSL case studies it's pretty clear what the selling point is. Lines such as "48,000% ROI" and 30% more conversions" should be enticing enough to many a merchant. The thinking, of course, is that a customer will be more trusting of the merchant's online presence (i.e. less likely to abandon a purchase). Even if the ROI isn't quite so high this may well be a case of an investment so small - to larger merchants - that it doesn't hurt to try, or perhaps a case of not wanting to be seen as an organization that "doesn't care about security because it doesn't use the green bar."
So although I'm not sold on the exact numbers I do get the economics - the ROI potential is rosy, but what about the ROSI? Let's set aside for a minute the browser-side and server-side issues with cross-domain content as discussed in Trent's post and shown by the PayPal XSS vulnerability last year, as these are not solvable with just EV SSL (I've commented on the need for better browser controls here) We'll focus on the usability side: how well does this help users resist "plain" phishing.
Two case studies we discussed on our call did actually note an increase in phishing resistance for the consumers, but - like the economic studies - these were not controlled for other variables. One was a laboratory experiment, and we cannot derive results for long-term effects. And while the other was a real-life study, EV SSL was deployed along with a consumer security awareness campaign and other controls - it's particularly difficult to determine the efficacy contribution of a single control in such a case.
In other words, I find these studies promising but inconclusive. I'm certainly not looking to diss the idea of EV SSL. In fact, from a usability perspective I think the green browser bar is a gigantic leap forward from the padlock icon. However, I'm not at all sold on the security benefits beyond the increased consumer trust (if you want to call that a security benefit) that brings more money to the merchants. My hope is that we'll see some more, better studies on this subject and work towards a better browsable future - after all you can only manage what you measure.
Comments