Seals certifying the security of e-commerce sites and other online destinations have long aroused suspicions that they're not worth the bits they're made of—much less the hundreds or thousands of dollars they cost in yearly fees. Now, computer scientists have presented evidence that not only supports those doubts but also shows how such seals can in many cases make sites more vulnerable to hacks.
The so-called trust marks are sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys. In exchange for fees ranging from less than $100 to well over $2,000 per year, the services provide periodic security scans of the site. If it passes, it receives the Internet equivalent of a Good Housekeeping Seal of approval that's prominently displayed on the homepage. Carrying images of padlocks and slogans such as "HackerProof," the marks are designed to instill trust in users of the site by certifying it's free of vulnerabilities that hackers prey on to steal credit card numbers and other valuable customer data.
A recently published academic paper discovered an almost universal lack of thoroughness among the 10 seal providers studied. For one thing, the scientists carried out two experiments showing that the scanners failed to detect a host of serious vulnerabilities. In one of the experiments, even the best-performing service missed more than half of the vulnerabilities known to afflict a site. In another, they uncovered flaws in certified sites that would take a typical criminal hacker less than one day to maliciously discover. Most strikingly, the researchers developed attacks that are enabled by a site's use of security seals, a shortcoming that ironically makes sites that use some seals more vulnerable than if they didn't use the service.