Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals

In the current web of distrust, malware, and server compromises, convincing an online consumer that a website is secure, can make the difference between a visitor and a buyer. Third-party security seals position themselves as a solution to this problem, where a trusted external company vouches for the security of a website, and communicates it to visitors through a security seal which the certified website can embed in its pages. In this paper, we explore the ecosystem of third-party security seals focusing on their security claims, in an attempt to quantify the difference between the advertised guarantees of security seals, and reality. Through a series of automated and manual experiments, we discover a real lack of thoroughness from the side of the seal providers, which results in obviously insecure websites being certified as secure. Next to the incomplete protection, we demonstrate how malware can trivially evade detection by seal providers and detail a series of attacks that are actually facilitated by seal providers. Among other things, we show how seals can give more credence to phishing attacks, and how the current architecture of third-party security seals can be used as a completely passive vulnerability oracle, allowing attackers to focus their energy on websites with known vulnerabilities.

[1]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[2]  Han Zhang,et al.  Trust Promoting Seals in Electronic Markets , 2002 .

[3]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[4]  Martín Abadi,et al.  deSEO: Combating Search-Result Poisoning , 2011, USENIX Security Symposium.

[5]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[6]  Dan Jong Kim,et al.  Revisiting the role of web assurance seals in business-to-consumer electronic commerce , 2008, Decis. Support Syst..

[7]  Adam Barth,et al.  HTTP State Management Mechanism , 2011, RFC.

[8]  James Andrew Lewis,et al.  The economic impact of cybercrime and cyber espionage , 2013 .

[9]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[10]  R. Houston,et al.  Consumer Perceptions of Cpa Webtrust Assurances: Evidence of an Expectations Gap , 1999 .

[11]  France Bélanger,et al.  Trustworthiness in electronic commerce: the role of privacy, security, and site attributes , 2002, J. Strateg. Inf. Syst..

[12]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[13]  R. Houston,et al.  Consumer Perceptions of Cpa Webtrustsm Assurances: Evidence of an Expectation Gap , 1999 .

[14]  David Ross,et al.  HTTP Header Frame Options , 2012 .

[15]  Tyler Moore,et al.  Identifying Risk Factors for Webserver Compromise , 2014, Financial Cryptography.

[16]  Benjamin Edelman,et al.  Adverse selection in online "trust" certifications , 2009, WEIS.

[17]  Kathryn M. Kimery,et al.  Third-party assurances: the road to trust in online retailing , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[18]  Geoffrey Zweig,et al.  Syntactic Clustering of the Web , 1997, Comput. Networks.