Anyone noticing security seals on the Web sites? If not, here’s how they look like:
This is how they work: you click on the seal, and a pop-up window opens telling you that the bearer of this is indeed who they claim they are. Plus some marketing material and sometimes a link to abuse report form. Please go to the web sites of the SSL certificate vendors to see this amazing functionality yourself. Moreover, according to Verisign:
Displaying the seal on your Web site can increase visitor-to-sales conversions, lower shopping cart abandonment, and result in larger average purchases.
They also call it a trust mark. Never mind that the real trust mark is the padlock that is displayed by the browser. Well, there’s one problem with that: not too many people are paying attention to the padlock. So someone in the marketing department came up with the seal idea.
In reality the seals closely resemble Web page ads. And they have a similar role: the seals allow vendors of SSL certificates to collect information about visitors of the owners of Web sites using those SSL certificates. Thawte even displays a convinient invisible image (https://extended-validation-ssl.thawte.com/dot_clear.gif), the type often used for user tracking, to those who click their seal.
Meanwhile the users tend to ignore picture ads – especially those saying “click me”. So the primary, advertised function isn’t achieved. Not that the picture, or the pop-up windows prove anything. Spoofing is trivial.
Commercial certification authorities must end this practice. As something that gives false sense of security, the secure seal is bad for security.