[Cryptography] Sites certified as secure often more vulnerable

ianG iang at iang.org
Sun Dec 7 11:41:35 EST 2014 

On 4/12/2014 19:53 pm, Henry Baker wrote:
> Sites certified as secure often more vulnerable to hacking, scientists find
> Security seals aren't worth the bits they're made of, let alone the fees.
>
> by Dan Goodin - Dec 4, 2014 6:36 pm UTC
>
> http://arstechnica.com/security/2014/12/sites-certified-as-secure-often-morevulnerable-to-hacking-scientists-find/


"Seals certifying the security of e-commerce sites and other online 
destinations have long aroused suspicions that they're not worth the 
bits they're made of—much less the hundreds or thousands of dollars they 
cost in yearly fees. Now, computer scientists have presented evidence 
that not only supports those doubts but also shows how such seals can in 
many cases make sites more vulnerable to hacks."

===

These seals sellers are examples of /institutions/, which are ways to 
move information or resources from one group to another in a trusted 
fashion, when they can't clear the market for direct trade.

The market for security exhibits a paucity of hard information.  It is 
very clear that the buyer has no way to know if some product is helpful 
or not, if she is left to looking directly at the product.

E.g., an anti-virus product does stuff, but the buyer doesn't and can't 
measure whether it is doing any good.

The buyer needs help.  Where does that help come from?

An institution can help to capture seller information and move it to the 
buyer.  Brands can use past good behaviour and leverage it to promise 
future protection.  Closely related, word-of-mouth or reputation can 
also inform.  Insurance can share the losses across a large group. 
Warranties can put 'skin in the game' for the vendor.  Audit is another.

But brands [0] and word-of-mouth need to be built on these other things, 
and can quickly flip.  Warranties or insurance are unheard of in the 
security business [1].  Audits are impenetrable, unreliable and 
self-serving.  Which leaves institutions?

What the above research is saying is that these institutions in 
particular are not doing any good, and are possibly opening new holes 
and encouraging users to relax.  Which says something bad about 
institutions, but it is difficult to sort out the correlations from the 
causalities.



Are all institutions in security failures?  Is there a successful 
institution in security?

Is there a tweak that these seal sellers could perform, perhaps at 
greater cost, to push their institution into positive benefit?  If so, 
why didn't they?

Is the information base so suspect that an institution cannot be 
honestly built?

Is there something about the economic incentives that leads all 
well-meaning ventures into a race to the bottom, and eventual 
irrelevance on security if not incumbency questions?



iang



[0]   The 10 brands that are involved: Norton Secured, McAfee Secure, 
Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy), 
BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity 
are mostly well known, perhaps we can say this is as good as it gets.

[1]  Perhaps not unheard of but notable through its rarity.  PHB 
mentions it recently for CAs, and there are occasional people popping up 
claiming that they are going to build it.

More information about the cryptography mailing list