Marketers at security giant McAfee peddle their Secure trust mark service as an easy way for online merchants to showcase the safety of their websites. These sites include a link to a seal showing it has passed a rigorous security scan that is performed daily. But a pair of security consultants say the program in many cases can tip off malicious hackers to easy-to-exploit vulnerabilities that might otherwise not be found.
That's because a design flaw in the service, and in competing services offered by Trust Guard and others, makes it easy to discover in almost real time when a customer has had the seal revoked. A revocation is a either a sign the site has failed to pay its bill, has been inaccessible for a sustained period of time, or most crucially, is no longer able to pass the daily security test.
"It's basically McAfee, Trust Guard, and all these other guys raising the flag, saying, 'Hey guys, these sites are vulnerable to attack. Go after them,'" Shane MacDougall, a security researcher with Tactical Intelligence, told Ars. "They all suffer from this fatal design flaw, which is you're raising a flag over your castle and you're pulling the flag down when you're vulnerable to attack. Who in their right mind would do that?"
[...]