in Technical 391 Words

Secure UI: Site Seals

In How Not to Get Hooked by a 'Phishing' Scam, the FTC offers this guidance:

Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.

Unfortunately, credibility of the "lock" icon is questionable (via Payments News).  Arguably, the "lock" icon is even harmful because, as users come to depend on it presence, they become more vulnerable when it's spoofed.

Trust is a double-edged sword.

With the "lock" icon undersiege, e-commerce companies are looking at other types of protections such as VeriSign Secure Site Seal and GeoTrust True Site which work by including a javascript fragment from a site seal server which inlines a site-specific image or an animation like the ones below.

    

Since these javascript fragments are executed inside the target page, they can examine domain the page was served from, ensure that they are being served from an approved site, and prominently display an attractive site-specific image that offer assures the users visually.  The image can also be click-on to display information about the SSL certificate used in the HTTPS session.

Do these services offer any real protection?  No.  Because they rely so heavily on the visual, they are wide open to Visual Spoofing.  Both the 'seal' image and the popup can be spoofed with a notepad and an image editor.  Clever tricks inside the included javascript fragment are useless because they are not included.

IMHO, they are more dangerous than the "lock" icon because they loudly invite the users to trust and depend on presence of images which can be easily spoofed.  The main problem is that those images are site-specific which appears to offer more protection than the generic "lock" icon.  But since hackers typically engineer site-specific phishing attacks, the appearance of improved protection turns into a liability that invites the hacker to leverage to their advantage.

I will post about possible ways to implement site seals with anti-phishing features in the near future.  Meanwhile, be sure to read my other posts on the subject of secure UI.