Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

2/9/2007
02:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Are 'Sealed' Websites Any Safer?

Website seals are designed to make buyers feel safer. But are sites with seals really more secure?

Hacker Safe, ControlScan, VeriSign, Cybertrust -- what's in a Website label, anyway?

As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray.)

And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

But are sites with a Website seal really more secure?

Website operators say displaying these logos demonstrates that they have made a good faith effort to run a clean site, and that they are being proactive in securing their sites. "I know that by implementing [Hacker Safe], I'm still ten times more secure than without it," says Lynnette Montgomery, general manager of e-commerce for Levenger, a $75 million reading and writing tools retailer that offers its products online as well as through stores and paper catalogs. "It's more that you are covering your bases, trying to be the best you can be, honest and putting your best foot forward."

Montgomery says another attraction of the Hacker Safe seal is its potential to bring in new customers. "Most companies I spoke to [about Hacker Safe] increased their conversion rate," she says. And that provides an ROI for the security service: "If I receive a two percent increase in conversion of customers, that's almost $500,000 in additional sales," she explains.

There are over 75,000 sites with the Hacker Safe seal today, including the American Red Cross, Fidelity National Financial, General Nutrition Center's HP, Johnson & Johnson, Nike, Northrop Grumman, Petco, Sony, The World Bank, Visa, Warner Brothers, and Yahoo.

ScanAlert CEO and founder Ken Leonard says the ROI aspect of the Hacker Safe seal helps IT not only meet a standard of security but also appeals to an organization's marketing department. "The marketing department sees the advantage of Hacker Safe," he says.

But some security experts say a Website label is just that -- a marketing tool to make a site more "sticky," without really guaranteeing a site's security or legitimacy. ScanAlert's Hacker Safe seal, for instance, came under fire last fall when the sla.ckers.org hacker group found cross-site scripting (XSS) vulnerabilities on several Websites emblazoned with ScanAlert's Hacker Safe seal. And critics say the EV SSL seals from VeriSign and Cybertrust aren't safe from serious criminals who can also nefariously obtain these seals of approval. (See Hackers Reveal Vulnerable Websites and Two Vendors Deny XSS Flaws.).

"[Labels] aren't necessary from a security standpoint," says Jason Reed, a principal consultant with Systems Experts, who adds that they instead demonstrate a good faith effort. "It doesn't make you more secure, but it does mean you tried," he says.

Reed, who performs vulnerability assessments and analysis for companies, says some of his clients also use services like Hacker Safe. "They bring me in to do in-depth analysis," he says.

The bottom line is that there's no way to truly guarantee a secure Website. ScanAlert estimates that more than half of the new customers it enrolls initially arrive with XSS flaws, and nearly half with database vulnerabilities like SQL injection.

And all it takes is one hole on a site. "[Website seals] may do some amount of good on the networking side, but from a Web application perspective, they do nothing," says sla.ckers member Kyran, who has found many XSS flaws in Hacker Safe and other sites. "On most of their sites, they say something similar to '99.99 percent secure!' While this may be true -- [and] it usually isn't -- that 0.01 percent could be used as an exploit itself, or it could be used as a tool in social engineering. That small hole reduces the integrity of the entire site."

Meanwhile, Tim Callan, product marketing director of SSL for VeriSign, notes that EV SSL was developed in part to help restore confidence in ecommerce sites.

"The purpose behind EV SSL is to provide a trustworthy badge visitors can see," he says. "It was needed for a variety of reasons -- with the advent and meteoric rise in lost confidence on sites. We had seen a dropoff in online purchases because there was a general sense of 'I don't know if I'm being defrauded or not,'" he says.

But Jeremiah Grossman, CTO of White Hat Security, which provides Web application security services, says EV SSL sites are still hackable. "They don't have any bearing on the security of the Website [itself] -- only that you're coming into a trusted site," he says.

Brett Oliphant, vice president of security services for ScanAlert, says that to some extent, Hacker Safe and SSL certified seals such as VeriSign's compete, which can be confusing for consumers.

"We think the consumer has been misled about SSL. It does add some authentication of ownership of a Website, but it is not indicative of the security of that Website," he says. "There's never been a case of sniffing a credit card where SSL would have protected it."

Gaining the Hacker Safe seal helps merchants comply with the Payment Card Industry's Data Security Standard, he notes, a crucial requirement for sites that accept credit cards. Visa International has offered Hacker Safe/PCI promotions for merchants, and the Better Business Bureau is offering discounts to companies that adopt Hacker Safe, he says.

Trouble is, White Hat's Grossman says, some companies may put too much stock in a security seal. "I worry about the small- and medium-sized companies that believe what these [seals] are providing them is security," he says.

White Hat customers often ask for a White Hat "logo" for their scans, Grossman says. "We consider and reconsider and consider it again. But we're not ready to commit to that: all of a sudden our customers become targets because of those logos," he says.

ScanAlert's new Hacker Safe Enterprise is a managed service that checks for, and fixes, network vulnerabilities on a Website. It includes daily vulnerability scans and quarterly penetration tests of the Website perimeter, and includes support from Scan Alert's Hacker Safe Labs security experts. It's priced from $49 per month and can go up to over $100,000 per year, depending on the size and complexity of the company's Website perimeter, according to ScanAlert's Oliphant.

In a related announcement this week, Hacker Safe Labs officially entered the security research fray with its first disclosure of e-commerce software bugs, and will do so on a regular basis.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • ScanAlert Inc.
  • VeriSign Inc. (Nasdaq: VRSN)
  • Cybertrust
  • ControlScan
  • WhiteHat Security

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    US Mayors Commit to Just Saying No to Ransomware
    Robert Lemos, Contributing Writer,  7/16/2019
    A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
    Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-10100
    PUBLISHED: 2019-07-18
    Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access ...
    CVE-2019-10100
    PUBLISHED: 2019-07-18
    domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector ...
    CVE-2019-10100
    PUBLISHED: 2019-07-18
    domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: http://127.0.0.1/admin/users/add.php. The attack vector is: After the administrator logged in,...
    CVE-2019-10100
    PUBLISHED: 2019-07-18
    domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrato...
    CVE-2016-10762
    PUBLISHED: 2019-07-18
    The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used.