Website Security Seals Smackdown
2010/03/19
Mike Bailey
I don't really like picking on security seal vendors- not only is it low-hanging fruit, but it's a somewhat pointless task. No matter how much we point out their faults, they'll keep pushing their snake oil. Website owners will keep paying them to place a logo on their website, and users will keep using those websites. The website owners will attribute conversion spikes to their increased "trust," (though actual A/B tests have seen mixed results) and malicious website owners will simply not bother with those seals. Or they may, it's not like it's hard to fake the seal on your website.
But every once in a while, I get in one of those moods and can't help poking holes. Here goes:
RapidSSL (pic)
InstantSSL (pic)
Entrust (pic)
FreeTrustSeal.com (pic)
Safe Shopping Network (pic)
BuyerShield (pic)
Shopper Safe (pic)
eShopSafe (pic)
Here's one with a SWF poisoning/Cross-Site Flashing attack:
Beyond Security (pic)
Then there's the real gems, where the vulnerabilities are in the certificate verification scripts themselves.
Geotrust (pic)
Webtrust (pic)
TrustOx (pic)
Aexcea (pic)
WebsiteSecure.org (pic)
There are worse things than XSS though. GoDaddy had a local file inclusion vulnerability in certs.godaddy.com (Now fixed).
Honorable mention goes to Digicert, who paid enough attention to fix their XSS and send me a thank you email.
The good news is that the FTC has fined ControlScan for misrepresentations regarding their security seals, and the PCI council is starting to crack down on bullshit marketing. I'm hoping this trend continues, but the only real solution is for users to realize that those seals are useless, and in some cases, dangerous.
As a side note, I received a spam comment on my blog a few weeks ago from a hosting company named TVCNet. Their claim: "PCI compliance on a shared server is very doable. Been PCI compliant for years on my shared server." Their website claims that they provide free PCI compliance and you can bet they spin more than their fair share of BS. Of course, all they really offer is cPanel servers with a McAfee Secure scan. Also as expected, not only is their website vulnerable to XSS and CSRF, but every one of their customers' cPanel servers comes with the standard formmail.cgi XSS and cgiecho information disclosure vulnerabilities.
And another side note, apparently there are quite a few resellers that offer free McAfee Secure scans. You should sign up. Heck, sign up your friends. I'm sure they'll thank you.
Props to Adam Baldwin for chipping in the Geotrust and InstantSSL XSS vulns