The success of e-commerce depends on secure channels for business. Webshop owners must not only provide safe ways for customers to transact, but also convince customers that their transactions are secure. Certification from a trusted third party is one way of earning this trust. A security seal provides a visual symbol that can reassure potential online customers of the trustworthiness of a website. A visible security seal often indicates that a website has been tested for issues such as known vulnerabilities or implanted malware, although the criteria for earning a certification vary, as does the rigour of the testing. Goethem et al. tested whether these security seals actually represent greater security, with a combination of three methods, summarized below.
Websites with security seals are not, in fact, more secure than their counterparts. Beyond simply failing to detect issues with websites, seals can actually facilitate attacks by:
Website owners should carefully consider their choice of third-party seal provider, while also performing their own due diligence in security testing. Seal providers could more rigorously test their scanning tools against known vulnerabilities, to improve the coverage of potential threats. Further, when a security issue is identified, seal providers can provide a grace period for website owners to remedy the problem before removing the seal as a penalty; this could prevent some use of the seals as a vulnerability scanner.
Security seals can be far from a guarantee of safety and could be subverted for nefarious purposes.