A while back, I posted an entry on extended validation certificates, along with a few questions about their efficacy. Thankfully, someone with more time and motivation than I actually went out and tested these certificates. Go read the pdf. It's interesting.
Summary: They created a control group that didn't see any of the EVC indicators, a group that saw the indicators, and a group that was trained (read the IE7 help page) and saw the indicators. They then tested each groups ability to identify fraudulent or legitimate web sites, which they also controlled via a reverse proxy setup.
The conclusions are interesting, and chiefly demonstrate that the extended validation certificates are ineffective. In fact, the trained users were more likely to identify both legitimate and fraudulent sites as legitimate. The non-trained group, which still saw the warnings, performed similarly to the control group, which didn't see the warnings at all.
I think there are two interesting points in this study that aren't entirely obvious. First, they describe, without being explicit, the false negative problem inherent in browser-implemented warnings: users expect them to work 100% of the time. A well trained user of average technical ability learns that they should get a warning when a site is bad, and when the warning isn't present, they think the site is good. I'm sure there's a proper term for this, but let's call it the 'false negative logical extension' because the user takes a valid conclusion (sites with warnings are bad) and extends it to an invalid conclusion (sites without warnings are good).
The second interesting point is about client trust, analogous to the 'who watches the watcher' problem. The browser is the content mediator *and* the content validator. The user is coached that content within the browser is not necessarily legitimate, but at the same time is expected to heed warnings from the browser itself about its own content. Technical folks can understand the difference between the client and its content, but the average user can't always do so. That's especially true when the attacker specifically targets that dividing line.
So what's the solution, or more properly, what are the *solutions?* First, the false negative logical extension problem needs to be addressed by taking advantage of the human ability to recognize patterns. We tend look for focused, singular solutions, but our ability to absorb context should lead us to really multifaceted solutions. A single warning or single visual indicator encourages the user towards a binary interpretation (good/bad), where the reality is a spectrum (good<------------->bad). Let's have multiple visual indicators that are on or off depending on a number of criteria (certificate, EV certificate, SSL/TLS, expired certificate, blacklist, etc). They may not all work all the time, but this strategy encourages users to be suspicious when things don't 'seem right.' This creates the 'dark alley' of the Internet. People tend to avoid dark alleys, not because they're dark or alleys, but because of the combination. It also creates more work for the attacker.
The 'who watches the watcher' problem is complicated. There's a real usability push to blur the line between the browser and the client. Look at some of the newer web apps out there that have started taking advantage of features like window dragging and right-clicking. An average user can't help but be confused about the line between a client and its content. A content validation tool that is clearly external the client entirely would help, but would be hard to implement, or rather hard to adopt. You don't really want the police following you around telling you what to do, but you definitely want them there when something bad happens.
