Website Security Seals Smackdown
I don't really like picking on security seal vendors- not only is it low-hanging fruit, but it's a somewhat pointless task. No matter how much we point out their faults, they'll keep pushing their snake oil. Website owners will keep paying them to place a logo on their website, and users will keep using those websites. The website owners will attribute conversion spikes to their increased "trust," (though actual A/B tests have seen mixed results) and malicious website owners will simply not bother with those seals. Or they may, it's not like it's hard to fake the seal on your website.
But every once in a while, I get in one of those moods and can't help poking holes. Here goes:
RapidSSL (pic)
InstantSSL (pic)
Entrust (pic)
FreeTrustSeal.com (pic)
Safe Shopping Network (pic)
BuyerShield (pic)
Shopper Safe (pic)
eShopSafe (pic)
Here's one with a SWF poisoning/Cross-Site Flashing attack:
Beyond Security (pic)
Then there's the real gems, where the vulnerabilities are in the certificate verification scripts themselves.
Geotrust (pic)
Webtrust (pic)
TrustOx (pic)
Aexcea (pic)
WebsiteSecure.org (pic)
There are worse things than XSS though. GoDaddy had a local file inclusion vulnerability in certs.godaddy.com (Now fixed).
Honorable mention goes to Digicert, who paid enough attention to fix their XSS and send me a thank you email.
The good news is that the FTC has fined ControlScan for misrepresentations regarding their security seals, and the PCI council is starting to crack down on bullshit marketing. I'm hoping this trend continues, but the only real solution is for users to realize that those seals are useless, and in some cases, dangerous.
As a side note, I received a spam comment on my blog a few weeks ago from a hosting company named TVCNet. Their claim: "PCI compliance on a shared server is very doable. Been PCI compliant for years on my shared server." Their website claims that they provide free PCI compliance and you can bet they spin more than their fair share of BS. Of course, all they really offer is cPanel servers with a McAfee Secure scan. Also as expected, not only is their website vulnerable to XSS and CSRF, but every one of their customers' cPanel servers comes with the standard formmail.cgi XSS and cgiecho information disclosure vulnerabilities.
And another side note, apparently there are quite a few resellers that offer free McAfee Secure scans. You should sign up. Heck, sign up your friends. I'm sure they'll thank you.
Props to Adam Baldwin for chipping in the Geotrust and InstantSSL XSS vulns
But every once in a while, I get in one of those moods and can't help poking holes. Here goes:
RapidSSL (pic)
InstantSSL (pic)
Entrust (pic)
FreeTrustSeal.com (pic)
Safe Shopping Network (pic)
BuyerShield (pic)
Shopper Safe (pic)
eShopSafe (pic)
Here's one with a SWF poisoning/Cross-Site Flashing attack:
Beyond Security (pic)
Then there's the real gems, where the vulnerabilities are in the certificate verification scripts themselves.
Geotrust (pic)
Webtrust (pic)
TrustOx (pic)
Aexcea (pic)
WebsiteSecure.org (pic)
There are worse things than XSS though. GoDaddy had a local file inclusion vulnerability in certs.godaddy.com (Now fixed).
Honorable mention goes to Digicert, who paid enough attention to fix their XSS and send me a thank you email.
The good news is that the FTC has fined ControlScan for misrepresentations regarding their security seals, and the PCI council is starting to crack down on bullshit marketing. I'm hoping this trend continues, but the only real solution is for users to realize that those seals are useless, and in some cases, dangerous.
As a side note, I received a spam comment on my blog a few weeks ago from a hosting company named TVCNet. Their claim: "PCI compliance on a shared server is very doable. Been PCI compliant for years on my shared server." Their website claims that they provide free PCI compliance and you can bet they spin more than their fair share of BS. Of course, all they really offer is cPanel servers with a McAfee Secure scan. Also as expected, not only is their website vulnerable to XSS and CSRF, but every one of their customers' cPanel servers comes with the standard formmail.cgi XSS and cgiecho information disclosure vulnerabilities.
And another side note, apparently there are quite a few resellers that offer free McAfee Secure scans. You should sign up. Heck, sign up your friends. I'm sure they'll thank you.
Props to Adam Baldwin for chipping in the Geotrust and InstantSSL XSS vulns
posted by mckt at
11:48 AM
7 Comments:
pure gold
By
Fabian, At
March 19, 2010 12:27 PM
This comment has been removed by the author.
By
digicert_paul, At
March 20, 2010 7:06 AM
Thanks a lot for the DigiCert honorable mention!
Paul Tiemannn (CTO, DigiCert)
By
digicert_paul, At
March 20, 2010 7:09 AM
I work for VeriSign and even I have to agree with much of this post -- the feedback from customers of a lot of trust marks lately has not been stellar, and as you point out the FTC is now even cracking down. Not great for companies who are actually issuing seals that DO something. Which brings to my point that not all seals are snake oil -- of course I feel the need to defend the VeriSign Trust Seal, but that product does scan for malware on customers' sites in addition to the usual "seal of approval" authentication.
My question, both to you and to industry insiders would be -- how to fix this problem? Require vendors of security/trust seals to follow stricter guidelines? Issue an industry-wide standard for what a security/trust seal should offer? Or scrap them altogether?
By
Joseph, At
March 29, 2010 2:48 PM
hahaha good job!
By
Anonymous, At
July 30, 2010 8:21 AM
Hi,
You mentioned TVCNet for whom I work for.
Please send me an email at jim @tvcnet.com or call me at 1800.639.6442. I will give you an account to test PCI wise with any of the standard PCI scanning vendors.
Your comments seem a bit harsh for someone who does not have service with us respectively.
Our statement is correct in that even our $3 a month clients are PCI compliant according to McAfee and and the other PCI compliance scanning companies our clients have used in the past five years.
I do agree with you on some of your specific points, but our claim is only referring to the PCI scans the credit card companies require (which meet a relatively low level compliance standard). Set up a shared account with us and I'll demonstrate we'll pass the standard PCI certification standard.
Personal note on this. PCI compliance scans are a good way to lock down the obvious security issues with a web host, and the seals demonstrate the owner is at least going that extra step to improve the security of their website. Are PCI scanning seals indicators that the website can not be hacked-- of course not.
By
TVCNet Hack Repair, At
October 28, 2010 3:47 PM
I'd like to hear more about this free PCI scan that confers compliance with some scan. I'd like to see how that breaks down with each of the PCI DSS requirements.
-LonerVamp
By
Anonymous, At
October 28, 2010 4:21 PM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home