Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

2/9/2007
02:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Are 'Sealed' Websites Any Safer?

Website seals are designed to make buyers feel safer. But are sites with seals really more secure?

Hacker Safe, ControlScan, VeriSign, Cybertrust -- what's in a Website label, anyway?

As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray.)

And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

But are sites with a Website seal really more secure?

Website operators say displaying these logos demonstrates that they have made a good faith effort to run a clean site, and that they are being proactive in securing their sites. "I know that by implementing [Hacker Safe], I'm still ten times more secure than without it," says Lynnette Montgomery, general manager of e-commerce for Levenger, a $75 million reading and writing tools retailer that offers its products online as well as through stores and paper catalogs. "It's more that you are covering your bases, trying to be the best you can be, honest and putting your best foot forward."

Montgomery says another attraction of the Hacker Safe seal is its potential to bring in new customers. "Most companies I spoke to [about Hacker Safe] increased their conversion rate," she says. And that provides an ROI for the security service: "If I receive a two percent increase in conversion of customers, that's almost $500,000 in additional sales," she explains.

There are over 75,000 sites with the Hacker Safe seal today, including the American Red Cross, Fidelity National Financial, General Nutrition Center's HP, Johnson & Johnson, Nike, Northrop Grumman, Petco, Sony, The World Bank, Visa, Warner Brothers, and Yahoo.

ScanAlert CEO and founder Ken Leonard says the ROI aspect of the Hacker Safe seal helps IT not only meet a standard of security but also appeals to an organization's marketing department. "The marketing department sees the advantage of Hacker Safe," he says.

But some security experts say a Website label is just that -- a marketing tool to make a site more "sticky," without really guaranteeing a site's security or legitimacy. ScanAlert's Hacker Safe seal, for instance, came under fire last fall when the sla.ckers.org hacker group found cross-site scripting (XSS) vulnerabilities on several Websites emblazoned with ScanAlert's Hacker Safe seal. And critics say the EV SSL seals from VeriSign and Cybertrust aren't safe from serious criminals who can also nefariously obtain these seals of approval. (See Hackers Reveal Vulnerable Websites and Two Vendors Deny XSS Flaws.).

"[Labels] aren't necessary from a security standpoint," says Jason Reed, a principal consultant with Systems Experts, who adds that they instead demonstrate a good faith effort. "It doesn't make you more secure, but it does mean you tried," he says.

Reed, who performs vulnerability assessments and analysis for companies, says some of his clients also use services like Hacker Safe. "They bring me in to do in-depth analysis," he says.

The bottom line is that there's no way to truly guarantee a secure Website. ScanAlert estimates that more than half of the new customers it enrolls initially arrive with XSS flaws, and nearly half with database vulnerabilities like SQL injection.

And all it takes is one hole on a site. "[Website seals] may do some amount of good on the networking side, but from a Web application perspective, they do nothing," says sla.ckers member Kyran, who has found many XSS flaws in Hacker Safe and other sites. "On most of their sites, they say something similar to '99.99 percent secure!' While this may be true -- [and] it usually isn't -- that 0.01 percent could be used as an exploit itself, or it could be used as a tool in social engineering. That small hole reduces the integrity of the entire site."

Meanwhile, Tim Callan, product marketing director of SSL for VeriSign, notes that EV SSL was developed in part to help restore confidence in ecommerce sites.

"The purpose behind EV SSL is to provide a trustworthy badge visitors can see," he says. "It was needed for a variety of reasons -- with the advent and meteoric rise in lost confidence on sites. We had seen a dropoff in online purchases because there was a general sense of 'I don't know if I'm being defrauded or not,'" he says.

But Jeremiah Grossman, CTO of White Hat Security, which provides Web application security services, says EV SSL sites are still hackable. "They don't have any bearing on the security of the Website [itself] -- only that you're coming into a trusted site," he says.

Brett Oliphant, vice president of security services for ScanAlert, says that to some extent, Hacker Safe and SSL certified seals such as VeriSign's compete, which can be confusing for consumers.

"We think the consumer has been misled about SSL. It does add some authentication of ownership of a Website, but it is not indicative of the security of that Website," he says. "There's never been a case of sniffing a credit card where SSL would have protected it."

Gaining the Hacker Safe seal helps merchants comply with the Payment Card Industry's Data Security Standard, he notes, a crucial requirement for sites that accept credit cards. Visa International has offered Hacker Safe/PCI promotions for merchants, and the Better Business Bureau is offering discounts to companies that adopt Hacker Safe, he says.

Trouble is, White Hat's Grossman says, some companies may put too much stock in a security seal. "I worry about the small- and medium-sized companies that believe what these [seals] are providing them is security," he says.

White Hat customers often ask for a White Hat "logo" for their scans, Grossman says. "We consider and reconsider and consider it again. But we're not ready to commit to that: all of a sudden our customers become targets because of those logos," he says.

ScanAlert's new Hacker Safe Enterprise is a managed service that checks for, and fixes, network vulnerabilities on a Website. It includes daily vulnerability scans and quarterly penetration tests of the Website perimeter, and includes support from Scan Alert's Hacker Safe Labs security experts. It's priced from $49 per month and can go up to over $100,000 per year, depending on the size and complexity of the company's Website perimeter, according to ScanAlert's Oliphant.

In a related announcement this week, Hacker Safe Labs officially entered the security research fray with its first disclosure of e-commerce software bugs, and will do so on a regular basis.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • ScanAlert Inc.
  • VeriSign Inc. (Nasdaq: VRSN)
  • Cybertrust
  • ControlScan
  • WhiteHat Security

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Aviation Faces Increasing Cybersecurity Scrutiny
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
    Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
    Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
    MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
    Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2016-6154
    PUBLISHED: 2019-08-23
    The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
    CVE-2019-5594
    PUBLISHED: 2019-08-23
    An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
    CVE-2019-6695
    PUBLISHED: 2019-08-23
    Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
    CVE-2019-12400
    PUBLISHED: 2019-08-23
    In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
    CVE-2019-15092
    PUBLISHED: 2019-08-23
    The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.