Are security seals all they cracked up to be ?

Add to my custom PDF

Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals

The success of e-commerce depends on secure channels for business. Webshop owners must not only provide safe ways for customers to transact, but also convince customers that their transactions are secure. Certification from a trusted third party is one way of earning this trust. A security seal provides a visual symbol that can reassure potential online customers of the trustworthiness of a website. A visible security seal often indicates that a website has been tested for issues such as known vulnerabilities or implanted malware, although the criteria for earning a certification vary, as does the rigour of the testing. Goethem et al. tested whether these security seals actually represent greater security, with a combination of three methods, summarized below.

Websites with security seals are not, in fact, more secure than their counterparts. Beyond simply failing to detect issues with websites, seals can actually facilitate attacks by:

  • Identifying vulnerable targets. When a certification is suspended, the seal provider often changes the image on the client`s website until the issues are remedied. That change, discoverable by web-crawling technology, indicates a site with a vulnerability that can be exploited.
  • Providing a method for discovering vulnerabilities. The scanning techniques used by seal providers is a series of requests that can be exploited to find issues with websites.
  • Deceiving potential customers. A security seal can be mimicked on a phishing site to provide false reassurance about website validity.

Website owners should carefully consider their choice of third-party seal provider, while also performing their own due diligence in security testing. Seal providers could more rigorously test their scanning tools against known vulnerabilities, to improve the coverage of potential threats. Further, when a security issue is identified, seal providers can provide a grace period for website owners to remedy the problem before removing the seal as a penalty; this could prevent some use of the seals as a vulnerability scanner.

Security seals can be far from a guarantee of safety and could be subverted for nefarious purposes.