Trust seal

Last updated

A trust seal is a seal granted by an entity to websites or businesses for display. Often the purpose is to demonstrate to customers that this business is concerned with security and their business identity. The requirements for the displaying merchant vary, but typically involve a dedication to good security practices, or the use of secure methods for transactions, or most importantly verified existence of the company. Trust seals can come in a variety of forms, including data security seals, business verified seals and privacy seals and are available from a variety of companies, for a fee. A trust seal can be either active or passive. Most seals are validated when they are created and remain so for a specific duration of time, post expiry of which the business/process has to be re-validated.

Contents

Generic example of a trust seal GenericTrustSeal.png
Generic example of a trust seal

Kinds of trust seals

Privacy seal

A privacy seal outfits a company with a privacy statement suited to its business practices. It also helps the company identify potential privacy threats that would otherwise go unnoticed. TRUSTe is an example of a privacy seal.

Business practice seals

These are seals that endorse an operational practice of a business. For example, an endorsement of the manufacturing quality practices of the company. Privacy seals are a subset of this category but popular enough, specifically with online retailers, to be mentioned separately. The Better Business Bureau seal is an example of a business practice seal.

Business identity seal

A business identity seal, also known as a Verified Existence Seal, is one which verifies the legal, physical and actual existence of the business by verifying multiple parameters such as statutory details, contact details, management details, etc. Verified existence trust seals add weight to the profiles of the deployers and boost confidence of prospective clients. A major benefit of a verified trust seal is that it represents due diligence by the grantor before granting a certificate for the business.

Security seals

Security trust seals are the most popular type of trust seal verification. There are two different types; Server Verification and Site Verification. Server Verification services perform daily scans on the hosting server. These scans check to make sure patches have been applied or that the server is otherwise not vulnerable to attacks. Website Verification services ensure that customers are protected under normal circumstances by testing for common vulnerabilities such as Cross site scripting (XSS) and SQL Injection. Norton and TrustedSite are two of the most popular security seals.

Criticisms

Third party verification from a reliable source and a strategically placed trust seal may assure customers about the safety and security. [1] Some trust seals, such as McAfee Hacker Safe, however, have been criticized as not doing enough to protect the security of visitors to a site [2] such as because they intentionally mark as 'Hacker Safe' websites known to McAfee to have an XSS vulnerability . [3] This is possible because most seals are a simple image that a hacker can simply copy and paste onto their own site. Such lapses highlight the importance of anti-XSS protection security measures. Trust seals can give a false sense of security as they are awarded at a certain point of time, unless the website is scanned on a daily basis and the scan date is displayed. When a site is not scanned daily, a change in technology and loopholes are not updated along with the trusted seal, so it doesn't represent flaws in the updated technology. The iconographical value is too high to mislead customers unaware about these changes. [4] The FTC has fined fraudulent seal companies that provide no real security benefit. [5]

Examples

As of 2005, in the US market the BBB On-Line, TrustE, Symantec and WebTrust were generally recognized as significant players. [6] Also notable are: GeoTrust, DigiCert, Norton, Comodo, MerchantCircle. Some good examples of Business Practice Seals are BBB, ScanVerify and TrustLock. CDSBureau Trust Seal is unique among all trust seals because it certifies businesses that ensure security of customer confidential data kept in digital, paper, or any other possible form. CDSBureau is free and comes with privacy, cyber, and data security trust. A study published in 2016 by Copenhagen-based web usability consultancy, Baymard Institute ranked the top four trust seals as (in alphabetical order) BBB, Norton Secured (formerly Symantec Trust Seal), Google Trusted Store and TRUSTe. [7] In February 2017, Google announced that it was closing its Google Trusted Store label and folding it into Google Customer Reviews. GCR is not a certification program but collects reviews from customers after they make a purchase and receive their merchandise. [8] Except for GCR, each of the above offers a "For Fee" annual subscription service, allowing the Trust Seal to be placed on a subscriber's website for the subscription period.

See also

Related Research Articles

<span class="mw-page-title-main">McAfee</span> American global computer security software company

McAfee Corp., formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company headquartered in San Jose, California.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

<span class="mw-page-title-main">Verisign</span> American Internet company

Verisign Inc. is an American company based in Reston, Virginia, that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc country-code top-level domains, and the back-end systems for the .jobs and .edu sponsored top-level domains.

<span class="mw-page-title-main">Gen Digital</span> Multinational software company

Gen Digital Inc. is a multinational software company co-headquartered in Tempe, Arizona and Prague, Czech Republic. The company provides cybersecurity software and services. Gen is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bangalore. Its portfolio includes Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

Thawte Consulting is a certificate authority (CA) for X.509 certificates. Thawte was founded in 1995 by Mark Shuttleworth in South Africa. As of December 30, 2016, its then-parent company, Symantec Group, was collectively the third largest public CA on the Internet with 17.2% market share.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

<span class="mw-page-title-main">Zango (company)</span>

Zango,, formerly ePIPO, 180solutions and Hotbar, was a software company that provided users access to its partners' videos, games, tools and utilities in exchange for viewing targeted advertising placed on their computers. Zango software is listed as adware by Symantec, and is also labeled as a potentially unwanted program by McAfee. Zango was co-founded by two brothers: Keith Smith, who served as the CEO; and Ken Smith, who served as the CTO.

TrustArc Inc. is a privacy compliance technology company based in Walnut Creek, California. The company provides software and services to help corporations update their privacy management processes so they comply with government laws and best practices. Their privacy seal or certification of compliance can be used as a marketing tool.  

GeoTrust is a digital certificate provider. The GeoTrust brand was bought by Symantec from Verisign in 2010, but agreed to sell the certificate business in August 2017 to private equity and growth capital firm Thoma Bravo LLC. GeoTrust was the first certificate authority to use the domain-validated certificate method which accounts for 70 percent of all SSL certificates on the Internet. By 2006, GeoTrust was the 2nd largest certificate authority in the world with 26.7 percent market share according to independent survey company Netcraft.

<span class="mw-page-title-main">Norton Insight</span>

Norton Insight whitelists files based on reputation. Norton-branded antivirus software then leverages the data to skip known files during virus scans. Symantec claims quicker scans and more accurate detection with the use of the technology.

<span class="mw-page-title-main">Norton Safe Web</span> Software service by Symantec Corporation

Norton Safe Web is a service developed by Symantec Corporation that is designed to help users identify malicious websites. Safe Web delivers information about websites based on automated analysis and user feedback.

<span class="mw-page-title-main">DigiCert</span> Internet security company

DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. DigiCert provides public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates, acting as a certificate authority (CA) and trusted third party.

Operation Aurora was a series of cyber attacks performed by advanced persistent threats such as the Elderwood Group based in Beijing, China, with associations with the People's Liberation Army. First disclosed publicly by Google on January 12, 2010, by a weblog post, the attacks began in mid-2009 and continued through December 2009.

Lords of Dharmaraja is the name of a hacker group, allegedly operating in India. In 2012 the group threatened to release the source code of Symantec's product Norton Antivirus, and for allegations on Government of India "arm-twisting" international mobile manufacturers to spy on United States-China Economic and Security Review Commission(USCC). Symantec has confirmed that the Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 version source code has been compromised and obtained by the group, while United States authorities are still investigating allegations suspecting India's hand in spying.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

<span class="mw-page-title-main">ImmuniWeb</span> Swiss application security company

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops machine learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

Trustico is a dedicated SSL certificate provider, They are headquartered in the United Kingdom.

References

  1. Hu, Xiaorui; Lin, Zhangxi; Zhang, Han (2001-12-21). "Myth or Reality: Effect of Trust-Promoting Seals in Electronic Markets" (PDF). Retrieved 2008-06-16.{{cite journal}}: Cite journal requires |journal= (help)
  2. Dan Goodin (2008-04-29). "McAfee 'Hacker Safe' cert sheds more cred". The Register. Retrieved 2008-06-13.
  3. Ryan Naraine and Dancho Danchev (2008-05-01). "More bad news for McAfee, HackerSafe certification". ZD Net. Archived from the original on May 4, 2008. Retrieved 2009-07-26.
  4. "On trust in the Internet: Belief cues from domain suffixs and seals" by Atticus Y. Evil, Eric F. Shaver, and Michael S. Wogalter, Department of Psychology , North Carolina State University
  5. Evan Schuman (2010-03-05). "FTC: Web Site Security Seals Are Lies". CBS News. Retrieved 2001-12-31.
  6. Jagdish Pathak (2005). Information Technology Auditing: An Evolving Agenda. Springer. p. 57. ISBN   978-3-540-22155-5.
  7. Bayard Institute. "How Users Perceive Security During the Checkout Flow (Incl. New 'Trust Seal' Study)". Bayard Institute. Retrieved 18 September 2017.
  8. Marvin, Ginny (March 6, 2017). "Google tells retailers the Trusted Stores program is shutting down". www.marketingland.com. Third Door Media, Inc. Retrieved 18 September 2017.