An interesting picture appears on the PBS Shop Web site:
Because of what it says I felt an urge to click on it. The first attempt (a right-click) resulted in the following message box:
I think the law that prohibits copying the picture doesn’t exist. Otherwise my Web browser would be breaking the law by caching the picture, for example. And the trademark law, at least in Australia, USA and other Western countries, actually allows nominative fair use (as well as parody).
But I don’t need to do any copying anyway. The “HACKER SAFE” picture above is provided to you directly from its source, controlscan.com (and “certifies” sites other than this weblog). Clicking on it will show a page that says, among other things:
Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning HACKER SAFE certification, can prevent over 99% of hacker crime.
I would be really interested in the methodology of that research. Why 99% and not 99.9%? But mentioning research is just weasel words here.
The company that brings you the “HACKER SAFE” picture provides many services related to Web security and privacy protection. Every single one comes with its own picture (they are called “trust seals”):
That, as I wrote, gives a false sense of security. Looking at the service offerings reveals more interesting facts:
The company provides vulnerability scanning for those who need to be compliant with flawed and largely useless Payment Cards Industry Data Security Standard;
The company offers vulnerability scanning bundled together with EV SSL certificates – overpriced ones, supposedly more secure and with questionable benefits;
EV SSL certificates are positioned to secure E-Mail applications among other things. Internet email standards generally don’t require a browser, and current EV certificates’ main distinction is the green address bar in IE7. You can encrypt SMTP using SSL but the fact that the the SSL certificate is Externed Validation will make exactly zero difference compared to any other SSL certificate. I won’t be surprised though if EV flavour of mail signing certificates will emerge;
And the certificates are positioned as those giving the Highest Level of Digital Encryption available in industry – even though the level of encryption doesn’t really have much to do with the type, or issuer, of the certificate.
Vulnerability scanning has its value. It’s a very basic security control mechanism that allows to identify trivial system administrators’ mistakes independently of their process. But it doesn’t prevent 99% of security exposures. If it does, what about the remaining 1%? Is one attack out of a hundred successful? One attacker out of a hundred? That doesn’t make sense.
In the example above we see how aggressive marketing can be misleading, even deceptive, and therefore diminish the value of otherwise useful service.