Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

2/9/2007
02:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Are 'Sealed' Websites Any Safer?

Website seals are designed to make buyers feel safer. But are sites with seals really more secure?

Hacker Safe, ControlScan, VeriSign, Cybertrust -- what's in a Website label, anyway?

As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray.)

And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

But are sites with a Website seal really more secure?

Website operators say displaying these logos demonstrates that they have made a good faith effort to run a clean site, and that they are being proactive in securing their sites. "I know that by implementing [Hacker Safe], I'm still ten times more secure than without it," says Lynnette Montgomery, general manager of e-commerce for Levenger, a $75 million reading and writing tools retailer that offers its products online as well as through stores and paper catalogs. "It's more that you are covering your bases, trying to be the best you can be, honest and putting your best foot forward."

Montgomery says another attraction of the Hacker Safe seal is its potential to bring in new customers. "Most companies I spoke to [about Hacker Safe] increased their conversion rate," she says. And that provides an ROI for the security service: "If I receive a two percent increase in conversion of customers, that's almost $500,000 in additional sales," she explains.

There are over 75,000 sites with the Hacker Safe seal today, including the American Red Cross, Fidelity National Financial, General Nutrition Center's HP, Johnson & Johnson, Nike, Northrop Grumman, Petco, Sony, The World Bank, Visa, Warner Brothers, and Yahoo.

ScanAlert CEO and founder Ken Leonard says the ROI aspect of the Hacker Safe seal helps IT not only meet a standard of security but also appeals to an organization's marketing department. "The marketing department sees the advantage of Hacker Safe," he says.

But some security experts say a Website label is just that -- a marketing tool to make a site more "sticky," without really guaranteeing a site's security or legitimacy. ScanAlert's Hacker Safe seal, for instance, came under fire last fall when the sla.ckers.org hacker group found cross-site scripting (XSS) vulnerabilities on several Websites emblazoned with ScanAlert's Hacker Safe seal. And critics say the EV SSL seals from VeriSign and Cybertrust aren't safe from serious criminals who can also nefariously obtain these seals of approval. (See Hackers Reveal Vulnerable Websites and Two Vendors Deny XSS Flaws.).

"[Labels] aren't necessary from a security standpoint," says Jason Reed, a principal consultant with Systems Experts, who adds that they instead demonstrate a good faith effort. "It doesn't make you more secure, but it does mean you tried," he says.

Reed, who performs vulnerability assessments and analysis for companies, says some of his clients also use services like Hacker Safe. "They bring me in to do in-depth analysis," he says.

The bottom line is that there's no way to truly guarantee a secure Website. ScanAlert estimates that more than half of the new customers it enrolls initially arrive with XSS flaws, and nearly half with database vulnerabilities like SQL injection.

And all it takes is one hole on a site. "[Website seals] may do some amount of good on the networking side, but from a Web application perspective, they do nothing," says sla.ckers member Kyran, who has found many XSS flaws in Hacker Safe and other sites. "On most of their sites, they say something similar to '99.99 percent secure!' While this may be true -- [and] it usually isn't -- that 0.01 percent could be used as an exploit itself, or it could be used as a tool in social engineering. That small hole reduces the integrity of the entire site."

Meanwhile, Tim Callan, product marketing director of SSL for VeriSign, notes that EV SSL was developed in part to help restore confidence in ecommerce sites.

"The purpose behind EV SSL is to provide a trustworthy badge visitors can see," he says. "It was needed for a variety of reasons -- with the advent and meteoric rise in lost confidence on sites. We had seen a dropoff in online purchases because there was a general sense of 'I don't know if I'm being defrauded or not,'" he says.

But Jeremiah Grossman, CTO of White Hat Security, which provides Web application security services, says EV SSL sites are still hackable. "They don't have any bearing on the security of the Website [itself] -- only that you're coming into a trusted site," he says.

Brett Oliphant, vice president of security services for ScanAlert, says that to some extent, Hacker Safe and SSL certified seals such as VeriSign's compete, which can be confusing for consumers.

"We think the consumer has been misled about SSL. It does add some authentication of ownership of a Website, but it is not indicative of the security of that Website," he says. "There's never been a case of sniffing a credit card where SSL would have protected it."

Gaining the Hacker Safe seal helps merchants comply with the Payment Card Industry's Data Security Standard, he notes, a crucial requirement for sites that accept credit cards. Visa International has offered Hacker Safe/PCI promotions for merchants, and the Better Business Bureau is offering discounts to companies that adopt Hacker Safe, he says.

Trouble is, White Hat's Grossman says, some companies may put too much stock in a security seal. "I worry about the small- and medium-sized companies that believe what these [seals] are providing them is security," he says.

White Hat customers often ask for a White Hat "logo" for their scans, Grossman says. "We consider and reconsider and consider it again. But we're not ready to commit to that: all of a sudden our customers become targets because of those logos," he says.

ScanAlert's new Hacker Safe Enterprise is a managed service that checks for, and fixes, network vulnerabilities on a Website. It includes daily vulnerability scans and quarterly penetration tests of the Website perimeter, and includes support from Scan Alert's Hacker Safe Labs security experts. It's priced from $49 per month and can go up to over $100,000 per year, depending on the size and complexity of the company's Website perimeter, according to ScanAlert's Oliphant.

In a related announcement this week, Hacker Safe Labs officially entered the security research fray with its first disclosure of e-commerce software bugs, and will do so on a regular basis.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • ScanAlert Inc.
  • VeriSign Inc. (Nasdaq: VRSN)
  • Cybertrust
  • ControlScan
  • WhiteHat Security

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-18214
    PUBLISHED: 2019-10-19
    The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
    CVE-2019-18202
    PUBLISHED: 2019-10-19
    Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
    CVE-2019-18209
    PUBLISHED: 2019-10-19
    templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
    CVE-2019-18198
    PUBLISHED: 2019-10-18
    In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
    CVE-2019-18197
    PUBLISHED: 2019-10-18
    In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...