Hacker Safe, ControlScan, VeriSign, Cybertrust -- what's in a Website label, anyway?

As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray.)

And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

But are sites with a Website seal really more secure?

Website operators say displaying these logos demonstrates that they have made a good faith effort to run a clean site, and that they are being proactive in securing their sites. "I know that by implementing [Hacker Safe], I'm still ten times more secure than without it," says Lynnette Montgomery, general manager of e-commerce for Levenger, a $75 million reading and writing tools retailer that offers its products online as well as through stores and paper catalogs. "It's more that you are covering your bases, trying to be the best you can be, honest and putting your best foot forward."

Montgomery says another attraction of the Hacker Safe seal is its potential to bring in new customers. "Most companies I spoke to [about Hacker Safe] increased their conversion rate," she says. And that provides an ROI for the security service: "If I receive a two percent increase in conversion of customers, that's almost $500,000 in additional sales," she explains.

There are over 75,000 sites with the Hacker Safe seal today, including the American Red Cross, Fidelity National Financial, General Nutrition Center's HP, Johnson & Johnson, Nike, Northrop Grumman, Petco, Sony, The World Bank, Visa, Warner Brothers, and Yahoo.

ScanAlert CEO and founder Ken Leonard says the ROI aspect of the Hacker Safe seal helps IT not only meet a standard of security but also appeals to an organization's marketing department. "The marketing department sees the advantage of Hacker Safe," he says.

But some security experts say a Website label is just that -- a marketing tool to make a site more "sticky," without really guaranteeing a site's security or legitimacy. ScanAlert's Hacker Safe seal, for instance, came under fire last fall when the sla.ckers.org hacker group found cross-site scripting (XSS) vulnerabilities on several Websites emblazoned with ScanAlert's Hacker Safe seal. And critics say the EV SSL seals from VeriSign and Cybertrust aren't safe from serious criminals who can also nefariously obtain these seals of approval. (See Hackers Reveal Vulnerable Websites and Two Vendors Deny XSS Flaws.).

"[Labels] aren't necessary from a security standpoint," says Jason Reed, a principal consultant with Systems Experts, who adds that they instead demonstrate a good faith effort. "It doesn't make you more secure, but it does mean you tried," he says.

Reed, who performs vulnerability assessments and analysis for companies, says some of his clients also use services like Hacker Safe. "They bring me in to do in-depth analysis," he says.

The bottom line is that there's no way to truly guarantee a secure Website. ScanAlert estimates that more than half of the new customers it enrolls initially arrive with XSS flaws, and nearly half with database vulnerabilities like SQL injection.

And all it takes is one hole on a site. "[Website seals] may do some amount of good on the networking side, but from a Web application perspective, they do nothing," says sla.ckers member Kyran, who has found many XSS flaws in Hacker Safe and other sites. "On most of their sites, they say something similar to '99.99 percent secure!' While this may be true -- [and] it usually isn't -- that 0.01 percent could be used as an exploit itself, or it could be used as a tool in social engineering. That small hole reduces the integrity of the entire site."

Meanwhile, Tim Callan, product marketing director of SSL for VeriSign, notes that EV SSL was developed in part to help restore confidence in ecommerce sites.

"The purpose behind EV SSL is to provide a trustworthy badge visitors can see," he says. "It was needed for a variety of reasons -- with the advent and meteoric rise in lost confidence on sites. We had seen a dropoff in online purchases because there was a general sense of 'I don't know if I'm being defrauded or not,'" he says.

But Jeremiah Grossman, CTO of White Hat Security, which provides Web application security services, says EV SSL sites are still hackable. "They don't have any bearing on the security of the Website [itself] -- only that you're coming into a trusted site," he says.

Brett Oliphant, vice president of security services for ScanAlert, says that to some extent, Hacker Safe and SSL certified seals such as VeriSign's compete, which can be confusing for consumers.

"We think the consumer has been misled about SSL. It does add some authentication of ownership of a Website, but it is not indicative of the security of that Website," he says. "There's never been a case of sniffing a credit card where SSL would have protected it."

Gaining the Hacker Safe seal helps merchants comply with the Payment Card Industry's Data Security Standard, he notes, a crucial requirement for sites that accept credit cards. Visa International has offered Hacker Safe/PCI promotions for merchants, and the Better Business Bureau is offering discounts to companies that adopt Hacker Safe, he says.

Trouble is, White Hat's Grossman says, some companies may put too much stock in a security seal. "I worry about the small- and medium-sized companies that believe what these [seals] are providing them is security," he says.

White Hat customers often ask for a White Hat "logo" for their scans, Grossman says. "We consider and reconsider and consider it again. But we're not ready to commit to that: all of a sudden our customers become targets because of those logos," he says.

ScanAlert's new Hacker Safe Enterprise is a managed service that checks for, and fixes, network vulnerabilities on a Website. It includes daily vulnerability scans and quarterly penetration tests of the Website perimeter, and includes support from Scan Alert's Hacker Safe Labs security experts. It's priced from $49 per month and can go up to over $100,000 per year, depending on the size and complexity of the company's Website perimeter, according to ScanAlert's Oliphant.

In a related announcement this week, Hacker Safe Labs officially entered the security research fray with its first disclosure of e-commerce software bugs, and will do so on a regular basis.

— Kelly Jackson Higgins, Senior Editor, Dark Reading