Seals certifying the security of e-commerce sites and other online destinations have long aroused suspicions that they're not worth the bits they're made of—much less the hundreds or thousands of dollars they cost in yearly fees. Now, computer scientists have presented evidence that not only supports those doubts but also shows how such seals can in many cases make sites more vulnerable to hacks.

The so-called trust marks are sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys. In exchange for fees ranging from less than $100 to well over $2,000 per year, the services provide periodic security scans of the site. If it passes, it receives the Internet equivalent of a Good Housekeeping Seal of approval that's prominently displayed on the homepage. Carrying images of padlocks and slogans such as "HackerProof," the marks are designed to instill trust in users of the site by certifying it's free of vulnerabilities that hackers prey on to steal credit card numbers and other valuable customer data.

A recently published academic paper discovered an almost universal lack of thoroughness among the 10 seal providers studied. For one thing, the scientists carried out two experiments showing that the scanners failed to detect a host of serious vulnerabilities. In one of the experiments, even the best-performing service missed more than half of the vulnerabilities known to afflict a site. In another, they uncovered flaws in certified sites that would take a typical criminal hacker less than one day to maliciously discover. Most strikingly, the researchers developed attacks that are enabled by a site's use of security seals, a shortcoming that ironically makes sites that use some seals more vulnerable than if they didn't use the service.

"Through a series of automatic and manual experiments, we discovered that third-party security seals are severely lacking in their thoroughness and coverage of vulnerabilities," the paper, titled Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals, concluded. "We uncovered multiple rudimentary vulnerabilities in websites that were certified to be secure and showed that websites that use third-party security seals do not follow security best practices any better than websites that do not use seals. In addition, we proposed a novel attack where seals can be used a vulnerability oracles and describe how an attacker can abuse seal providers to discover the exact exploit for any given vulnerable seal-using website."

Black Box

One of the chief shortcomings is the use of automated scanners that check client sites on a regular basis, usually daily or weekly. All 10 of the services do so in a black box fashion, in which automated scanners expose sites to a variety of attacks without any knowledge of their internal workings. The scientists performed an eight-hour manual penetration test on nine sites certified as secure. In seven of the servers, they found multiple severe vulnerabilities, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). Three of the four e-commerce sites that underwent the penetration test were susceptible to attacks that allowed people to manipulate the price charged for a product or service.

"Besides these general limitations that render seal providers unable to find vulnerabilities which require a series of coherent actions, we also found easily discoverable vulnerabilities, which were missed by the seal providers, in six out of nine websites," the paper stated. "These vulnerabilities consist of cross-site scripting vulnerabilities where a GET or POST parameter was reflected without proper encoding, and even a 'textbook' SQL injection."

In one case, the researchers stumbled upon a serious vulnerability without intentionally looking for it. In the process of contacting a certified e-shop to ask permission to conduct a penetration test, a researcher used a contraction containing a single quotation mark. The punctuation mark generated a SQL error in the message body. As demonstrated in a recent report about a hacker group that has taken control of critical networks in the US and 15 other countries, SQL injection attacks are frequently the entry points into targeted systems.

The researchers also set up an e-commerce site that was configured to contain 12 threats, including various types of malware infections, SQL injections, CSRF, and XSS. They then purchased trust marks from eight of the 10 services studied to inspect the site (the remaining two services required proof of a valid business). All eight of the services providing a seal found less than half of the vulnerabilities, with two of them failing to detect any defects at all. Also troubling was the inability of many services to detect the malware, even though it was cataloged in public databases such as Virus Total.

"The inability to find publicly reachable malware by browsing our webshop is another indication that the security-scan employed by seal providers is incomplete," the researchers wrote.

Facilitating attacks

The most surprising finding from the 13-page paper is that a site's use of trust marks can in some cases make it more vulnerable to hacking by tipping off attackers that it contains easily exploitable bugs. The vulnerability "oracle" is the result of the way seal providers respond when a previously certified website fails to pass a later inspection. Rather than removing the certificate from the website, the provider either makes the seal turn transparent or changes its dimensions, in both cases making it imperceptible to visitors.

The researchers employed a script that searched much of the Internet for popular sites that displayed seals and then visited them daily over a two-month period. An automated script paid close attention to the status of the seals. Of the roughly 8,000 seal-using sites that the researchers identified, they discovered 333 instances in which a site transitioned from a visible seal to an invisible one, or vice versa. For 189 of the sites, the seal remained permanently invisible.

"This could either be due to an expired contract between the seal-using website and the seal provider, or due to a website being constantly vulnerable," the researchers wrote. "In any case, from an attacker's point of view, an invisible seal should provide more than enough motive to start attacking a website."

The researchers went on to monitor the specific Web requests a service made when scanning a site. They checked for things such as the presence of certain files or whether there was evidence of XSS or SQL injection vulnerabilities. In some cases, the number of requests can be as high as 180,000.

"By setting up a website and purchasing a security seal (or getting a free trial), the attacker can collect the series of requests and replay them to the vulnerable website, thus discovering the exact vulnerability that caused the victim's seal to disappear," the paper explained. Running so many requests against a large number of sites can prove costly. By making it easy to spot sites that have recently failed a security inspection, the services help hackers prioritize which sites to try first and which specific requests should be employed.

The ten services studied in the paper were identified, but specific shortcomings weren't identified. The services included Norton Secured, McAfee Secure, Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy), BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity. The findings, which were presented at last month's Conference on Computer and Communications Security, provide empirical evidence supporting what critics of trust marks have long argued. The seals, they say, offer little meaningful assurance to visitors or operators that a site is secure.