“Secure” Sites Are Actually Less Secure

From Ars Technica:

The so-called trust marks are sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys. In exchange for fees ranging from less than $100 to well over $2,000 per year, the services provide periodic security scans of the site. If it passes, it receives the Internet equivalent of a Good Housekeeping Seal of approval that’s prominently displayed on the homepage.

Unfortunately, that seal is virtually meaningless, according to a recent scientific paper.

A recently published academic paper discovered an almost universal lack of thoroughness among the 10 seal providers studied. For one thing, the scientists carried out two experiments showing that the scanners failed to detect a host of serious vulnerabilities. In one of the experiments, even the best-performing service missed more than half of the vulnerabilities known to afflict a site. In another, they uncovered flaws in certified sites that would take a typical criminal hacker less than one day to maliciously discover.

That’s not all. The seal itself can make the site more vulnerable.

Most strikingly, the researchers developed attacks that are enabled by a site’s use of security seals, a shortcoming that ironically makes sites that use some seals more vulnerable than if they didn’t use the service.

So not only should you ignore security seals, but you might want to hesitate before doing business with websites that use them.

Featured image: “Secure shopping icon” from Shutterstock.

Leave a Reply