Consumers today are looking for a trusted online experience. In a world of cyber theft, who do they trust when they go online? That’s the question being asked in a new poll on SurveyMonkey.com and every single consumer with online access is invited to participate.
The survey is a single question: When shopping and conducting ecommerce online, which site seal do people trust the most? Choices in alphabetical order:
Better Business Bureau Accredited
Comodo
Geotrust
McAfee
Norton
Thawte
TRUSTe
Trustwave
Voting will remain open until midnight Eastern Time on March 15, 2015.
I don’t know, but cursormania had a Norton seal, and it has been very shady and I am about 99.9 percent sure it can download malware. I don’t know who to trust, but I would probably trust Norton the least
Since Intel acquired McAfee I put a high level of trust in it. Comodo would be a equal tie. I have no problems doing transaction’s with TRUSTe either. Like sithlordadler I’m also not a fan of Norton, but everyday purchasers see the Norton brand and fell protected and assured.
I personally dont care about any of those seals because do they really say much more than the cert? I dont really know and many shops are just putting in the picture without the actual seal so in those cases nobody knows whether the seal is true or fake.
if I would trust seals than it would be from places like the TÜV ( Technischer Überwachungsverein - Wikipedia ) because I dont really know how much insight a CA has into the company but as far as I have seen CAs mostly do the standard validation stuff that the cert needs and throw in the seal as “trust mark”, so that the identity check can be shown more prominently.
In order to see the cert, you need to be in https session. As we know even now HTTPS is used in majority when the user is entering into a transaction (when the user has made his/her mind up). Site seals carry that Identity value to pages where there are no HTTPS.
I agree about inability to validate what you see on the web pages.
well this is in my opinion a huge design flaw because the HTTP can be MiTMed and such sites could probably use a faked seal easy enough, and let’s be serious, who checks that seal more than once.
We have done A/B testing and our Comodo seal does increase conversion on the websites.
We also provide dashboard to see how many people interacted wit the seal and what kind of information they got etc. Reality is, if you only convert 1 visitor into customer using this, then it paid for itself. However the above is nothing to do with security but with website conversion.
From security perspective, nothing on the web page you see can be validated without going “out of band”.
it might be that those “trust seals” are helping for conversion but I personally think that the trust seal is an illusion and nothing more than marketing.
and stuff can be validated well enough using HTTPS.
you can fake a trust seal and HTTP connections can be MITM’ed meaning that even if you are on the right site and somehow checked that that seal is real. if other parts of the site are MITM’ed the whole point of that “seal” is lost.
when using HTTPS, you cannot fake a certificate, you could try to manippulate the trust store but (unless you use internet explorer) this wont help for EV certs.
people TRUST this seal (hence the name) and that trust is sadly an illusion in comparison to the certificate.
if a company really wants to get some trust they should get an EV with the green bar.
Well within what context?
It cannot be faked if the user knows the hash or the cert, the details etc and not merely looking at the padlock to indicate https or not.
But in a state level attack where states have their own root key, i have to disagree with you, because user will still see the indicator without realizing the issuing authority.
well for EVs only very specific CAs can issue a cert with a green bar. (except for IE because it has a setting for for custom OIDs that will show an EV bar)
if we are talking about a state level attacker one of the few things that does help is abolishing the CAs completely and doing it over DANE, because when for example china wants to manipulate dropbox.com, it wont work because the chinese have no access to the DNSSec keys of the com zone much less the root key).
also when talking about state level attackers that they can probably easily enough forge the security seal. attacing HTTPS already takes enough effort because you need the CAs and the ISPs to do what you say and when doing that you could either create a fake site along with a seal or you just use the data you get, maybe modify it or you just read it and get the passwords etc.
what I means earlier about that you cant fake a cert much less an EV was more meant in regards to hackers and the like, but the main point is taht sich a seal can be faked a lot easier than people think.
I have seen enough sites with just the image of such a sel of even multiple of such seals with everyone just being a picture, probably enough to give the average user who probably doesnt know that you should click these things, and in case of comodos “hover” seals because you arent even seeing whether this pop-in comes from comodo or was just places by the site.
the problem is that any site could try to fake a seal just to get the trust, it doesnt even need an attacker, a random scammer could set up his own scamming site, place a lot of trust marks on it and scam the hell out of the people
another way would be finally starting to restrict CAs , so that not every CA can get a cert for every domain.
Firefox for example has (according to their own data) 169 CA Certificates https://wiki.mozilla.org/CA:IncludedCAs
by using a small bit of searching (i use the csv for simplicity and in there we have 94 certs marked as “not ev” meaning that the rest are certs which allow EV certs in there making a remaining of 75 CA Certificates allowing EV generation
I dont know how many of these are tld restricted but I guess that if any that there wont be many.
Well, the TÜV trust seal usually makes me more confident. As far as I remember they provide 3 steps process to examining online store. Probably that makes me feel that the site is secure… but I do not know that much about other seals. Which areas of the website do experts check and scan to provide the final decision? How does all this process work?
well TÜV is something which goes also a bit into what a company does and stuff. (Even EV certs are per the Guidelines explicitly NOT meant to make sure that the company is “trustworthy, honest, or reputable in its business dealings” or even complying with the laws (2.1.3 on https://cabforum.org/wp-content/uploads/EV-V1_6_5.pdf , PDF Page 9)
but be careful and make sure you can click the TÜV icon to see the certification, badge fraud is something you should be careful with, because anyone can copy the badge image off and show it on their website.
also the TÜV Logo has nothing specifically to do with transport security, where I recently got a case where a site embedded a frame from an online shopping provider, and the shopping provider had the the seal of a CA, of course you could NOT click it, and the site embedding the frame was not HTTPS secured. meaning that even if the frame itself was HTTPS’ed the user has no good way of seeing this and to top it off, it could easily have been replaced with the iframe for a scam “shop”, with the trust seal essentially showing a fake security.
Oh… thank you for information. Really useful!
By the way, I assume the TÜV is the most expensive one, do you know any good alternatives but which are cheaper?