Security seals and the "perception of safety"?

Question

I clearly understand that the security seals (verisign or norton secure etc.) shown on banking and other websites are generated using a script and available only after an ssl certificate is purchased and installed.

The certificate vendors say "the seal helps improve your customers' perception of safety and trust"

I just somehow can not convince myself with this idea of 'perception of safety'.

No user is going to click the seal every time to see if it is really a seal by verisign.Most users will be unaware of this feature.
The image can easily faked for on a phishing site.
The vendors claim that it is a protection mechanism against phishing and Identity theft.

here is another great answer that discusses the same topic http://security.stackexchange.com/a/19801/21234 — Shurmajee, Apr 17 '13 at 05:20
http://lcamtuf.blogspot.com/2012/06/this-page-is-now-certified.html — kinokijuf, Nov 27 '13 at 21:46

score 23 · Accepted Answer · answered Apr 05 '13 at 07:42

23

As Rook pointed out, security theatre is a big part of how consumer perception is exploited to ensure that customers believe that something is safe, without the vendor having to go through all that complicated hassle with actual security.

The TSA is a great example, but there are many others:

Extended Verification on SSL certificates are largely theatre, as the EV process does nothing to actually improve the cryptographic or algorithmic security of the transaction. If a 3rd party wants to get a certificate for the domain from a dodgy CA, they can do so without the EV and 99% of users wouldn't notice.
The design of certain enterprise-level security appliances, from a physical and interactive perspective, are often tailored to invoke images of robustness. This usually involves building the unit out of sturdy black metal, with a few blinky blue lights on the front, and putting padlocks and other such imagery on the web panel.
Bag searches at large events like concerts are largely security theatre. It's near impossible to get a few hundred people through a proper bag search process, so the staff take a quick look and let you through. More often than not, they're just trying to stop you bringing a big bottle of vodka, so you have to pay at the bar. But part of it is to make you feel safer, despite the fact that anyone could easily conceal weapons, drugs, etc. without detection.
Anti-phishing techniques such as secret images are (usually) security theatre, in that it is often either trivial for a 3rd party to steal the secret image from the site without authentication, or that the image is displayed after the user has entered their full set of authentication credentials.

At the end of the day, it's all about marketing. If a company can sell you the image of something being more secure than it is, they are more likely to get a sale because you have peace of mind.

answered Apr 05 '13 at 07:42

Polynomial

132,208
43
298
379

EV certificates allow you to tell the difference between https://www.whitehouse.com/ and https://www.whitehouse.gov/ ... or it *would* if either www.whitehouse.gov **or** whitehouse.gov had a valid SSL certificate. (They're *different* certificates too). The also allow you to tie a physical company you're used to such as your bank to a website owned by the same company. Not that even 0.1% of users would actually do this. – Ladadadada Apr 05 '13 at 10:00
@Ladadadada My point is that there's nothing to stop a rogue CA from issuing a cert for whitehouse.gov, even with an EV for that matter. – Polynomial Apr 05 '13 at 10:17
but CAs are trusted third parties. If they decide to cheat users the whole system will come down. – Shurmajee Apr 05 '13 at 10:30
4

@MayankSharma: Do you trust "Agencia Catalana de Certificacio"? Do you trust "AOL"? Maybe, maybe not. I have randomly picked these ones out of the looong list of "trusted CAs" that ships with Firefox; very few people are aware of this list, and the implicit trust they are putting into the CAs (and the browser which ships with them). It only takes one of the CAs on the list to go rogue; this has happened multiple times. The point is, the whole system is already broken; it didn't come down yet only because nobody cares. (Etilasat?DigiNotar?Comodo?No change since then...) – Piskvor left the building Apr 05 '13 at 11:18
I agree.I wonder is there nobody monitoring the CAs? – Shurmajee Apr 05 '13 at 11:22
1

Moxie Marlinspike did a talk at DefCon about the flaws in CA infrastructure http://www.youtube.com/watch?v=Z7Wl2FW2TcA – jackweirdy Apr 05 '13 at 12:58
1

@MayankSharma The vendors of products that include CA certs have requirements the CAs must meet to have those certs distributed. For example: http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html. Accredited audits are usually part of that. – Jeff Ferland Apr 05 '13 at 18:27
@jackweirdy that is a very informative video.must watch. Thanks for the link – Shurmajee Apr 08 '13 at 09:56

score 14 · Answer 2 · answered Apr 05 '13 at 06:02

14

Security seals are used on phishing sites, and our tax dollars fund the TSA. Whether we like it or not, "Security Theater" rules us all.

answered Apr 05 '13 at 06:02

rook

46,916
10
92
181

that's a great article – Shurmajee Apr 05 '13 at 06:10

score 4 · Answer 3 · answered Apr 05 '13 at 08:57

Can security seals (badges) be used by a sophisticated customer to verify certain aspects of a site's authenticity? Yes

Do they make their host site safer? No

Can their presence increase customer trust and conversion rates? Yes

It's mostly about marketing and somewhat about allowing customers to gain additional validation of your identity if they so choose. If only one percent of your customer base are suspicious skeptics (like me) then it can be worth the small investment. (I made up that number... Don't hold me to it)

http://econsultancy.com/us/blog/7941-which-e-commerce-trustmarks-are-most-effective

score 1 · Answer 4 · answered Apr 05 '13 at 17:40

SSL certificates are the best we can do now, but on the other hand those Symantec/Verisign security seals that proudly state that a site is "secure" are the worst we can do.

I've stumbled across too many sites with those seals and valid SSL certificates that, e.g., only encrypt login forms or shopping baskets. Your cookies are still sent in plaintext enabling any attacker to get access to your account without even having to know your password nor your username.

Anytime you login to a website, please make sure that you're not able to go back to plain HTTP still logged in or that there are "some elements in the website" not sent over SSL.

I understand that these badges are marketing, but oh dear, that's not even good marketing.

Security seals and the "perception of safety"?

4 Answers4

Linked