Website Security Seals Smackdown

I don't really like picking on security seal vendors- not only is it low-hanging fruit, but it's a somewhat pointless task. No matter how much we point out their faults, they'll keep pushing their snake oil. Website owners will keep paying them to place a logo on their website, and users will keep using those websites. The website owners will attribute conversion spikes to their increased "trust," (though actual A/B tests have seen mixed results) and malicious website owners will simply not bother with those seals. Or they may, it's not like it's hard to fake the seal on your website.

But every once in a while, I get in one of those moods and can't help poking holes. Here goes:

RapidSSL (pic)

InstantSSL (pic)

Entrust (pic)

FreeTrustSeal.com (pic)

Safe Shopping Network (pic)

BuyerShield (pic)

Shopper Safe (pic)

eShopSafe (pic)

Here's one with a SWF poisoning/Cross-Site Flashing attack:

Beyond Security (pic)

Then there's the real gems, where the vulnerabilities are in the certificate verification scripts themselves.

Geotrust (pic)

Webtrust (pic)

TrustOx (pic)

Aexcea (pic)

WebsiteSecure.org (pic)

There are worse things than XSS though. GoDaddy had a local file inclusion vulnerability in certs.godaddy.com (Now fixed).

Honorable mention goes to Digicert, who paid enough attention to fix their XSS and send me a thank you email.

The good news is that the FTC has fined ControlScan for misrepresentations regarding their security seals, and the PCI council is starting to crack down on bullshit marketing. I'm hoping this trend continues, but the only real solution is for users to realize that those seals are useless, and in some cases, dangerous.

As a side note, I received a spam comment on my blog a few weeks ago from a hosting company named TVCNet. Their claim: "PCI compliance on a shared server is very doable. Been PCI compliant for years on my shared server." Their website claims that they provide free PCI compliance and you can bet they spin more than their fair share of BS. Of course, all they really offer is cPanel servers with a McAfee Secure scan. Also as expected, not only is their website vulnerable to XSS and CSRF, but every one of their customers' cPanel servers comes with the standard formmail.cgi XSS and cgiecho information disclosure vulnerabilities.

And another side note, apparently there are quite a few resellers that offer free McAfee Secure scans. You should sign up. Heck, sign up your friends. I'm sure they'll thank you.

Props to Adam Baldwin for chipping in the Geotrust and InstantSSL XSS vulns

Old-School Hackers

My mom's uncle Bob passed away last night. That's too bad, I never really spent a lot of time with him, and I didn't even know he existed until about a year ago, when I was traveling through southern Utah with my family and we decided to pop in and visit. He was awesome.

While I'm not really active in the DIY community, I always had that mentality- when I was a kid, I'd spend days playing with my Erector set or taking apart toasters and hard drives, eventually graduating to cars and motorcycles, and finally getting into the software side of computers. I consider breaking, fixing and building things an essential part of life, but anything I can do pales in comparison to Uncle Bob. He lived through the Great Depression, and spent most of his life in a farming community that never really made it out of the depression. He never threw anything away, and his back yard was a massive junk yard- the kind of place that car people fantasize about. Old tractors, vintage Fords, Chevys, Cadillacs, and a weather-beaten-but-mostly-intact International Harvester (remember Mater from the film Cars?). Most of them aren't salvageable, but there are some gems. He flew a Cessna until its hangar collapsed in a windstorm, at which point he bought a Corvette "so he could still fly." Like many of us, he was a serial career changer, doing what he thought was interesting, moving on when he found something else.

Uncle Bob had a perpetual motion machine (Except he didn't like people calling it that, because that's impossible. It was a "generator") that would lift a weight up an inclined plane, let it slide down, powering a generator that charged a battery that in turn would lift the weight up... I have no idea how it was supposed to work, because he never did figure out the friction issue. Maybe somebody here has ideas. It was a pretty cool bit of fabrication, at any rate.

No point to this post really, I've just been meaning to write about him since I met him. We could all learn a lot from the hot rodders, builders, mechanics, and DIY-enthusiasts-by-necessity of past generations.

If not, they still have great stories.