False sense of security

Anyone noticing security seals on the Web sites? If not, here's how they look like:

Verisign Globalsign Entrust 

This is how they work: you click on the seal, and a pop-up window opens telling you that the bearer of this is indeed who they claim they are. Plus some marketing material and sometimes a link to abuse report form. Please go to the web sites of the SSL certificate vendors to see this amazing functionality yourself. Moreover, according to Verisign:

Displaying the seal on your Web site can increase visitor-to-sales conversions, lower shopping cart abandonment, and result in larger average purchases.

They also call  it a trust mark. Never mind that the real trust mark is the padlock that is displayed by the browser. Well, there's one problem with that: not too many people are paying attention to the padlock. So someone in the marketing department came up with the seal idea.

In reality the seals closely resemble Web page ads. And they have a similar role: the seals allow vendors of SSL certificates to collect information about visitors of the owners of Web sites using those SSL certificates. Thawte even displays a convinient invisible image (https://extended-validation-ssl.thawte.com/dot_clear.gif), the type often used for user tracking, to those who click their seal.

Meanwhile the users tend to ignore picture ads - especially those saying "click me". So the primary, advertised function isn't achieved. Not that the picture, or the pop-up windows prove anything. Spoofing is trivial.

Commercial certification authorities must end this practice. As something that gives false sense of security, the secure seal is bad for security.

Published Thursday, April 19, 2007 4:31 AM by Slav
Filed under: ,

Comments

# re: False sense of security

Yes, I agree that these seals are unimpressive as security - and probably just plain bad (distract users from significant security measures; easy to fake; encourage users to click on things).

I wonder if they've evolved because of how badly the browser padlock message seems to have been messed up for US consumers?

For convenience, most of the US banks allow their customers to logon to IB from their home page.  Of course it is then difficult to explain to users what they should look for to make sure that this is secure - so many of the banks have ended up with an image of a padlock next to the logon button on their site.  Chase and WaMu are classic examples.  [As an alternative, BofA and Wells Fargo now have their home page as SSL.]

Now customers don't typically look for any sort of secondary security indicator, but I think US banks have done a good job of confusing their customers on the most important one (SSL).  VeriSign et al have come up with a cheap 'trust' product - and remarkably there is a market, because some companies think this will make their customers happier.

Tuesday, April 24, 2007 1:10 AM by Pete

# re: False sense of security

Hi Pete, - thanks for the comment. As for logging on from the home page - there is a trivial solution to the dilemma. It is used by a bank that gets phished most, (I have mentioned it in http://msmvps.com/blogs/sp/archive/2007/03/04/analysing-phishing-white-noise.aspx). Go SSL for the entire site. It used to be expensive - not any longer.

Tuesday, April 24, 2007 4:21 AM by Slav

# How to prevent 1% of cybercrime?

An interesting picture appears on the PBS Shop Web site: Because of what it says I felt an urge to click

Saturday, May 05, 2007 8:20 PM by Risque Management

Leave a Comment

(required) 
(required) 
(optional)
(required)