Is Malware Hiding Behind that Certified Site?
A new study warns that Web sites containing security certificates are
not necessarily safe. The results were somewhat surprising when Web
sites bearing the TRUSTe security certificate were compared against a
list of known malware sites from McAfee's Siteadvisor product, a
service that black-lists Web sites containing spyware, spam, viruses
and online scams.
Web sites that feature the TRUSTe security certificate are two times
more likely to contain badware than Web sites without any security
certification, spyware and adware researcher Ben Edelman alleges in a
new report. Among others, adware providers Direct-revenue and
Webhancer are using TRUSTe certificates in an attempt to look more
trustworthy than they really are, Edelman claimed. Direct-revenue is
facing legal action from the New York Attorney General for its adware
software. Edelman alleged that Webhancer often is installed without
the user's consent.
TRUSTe is a so-called certification authority, an independent
organization that issues security certificates to Web sites. These
certificates indicate that service adheres to certain privacy
guidelines, allowing users to verify that they are on the Web site
that they intended to visit.
The independent certificate authorities perform a background check to
verify the identity of the Web site's operator and ensure compliance
with the privacy standards. Web sites that meet the organization's
criteria are allowed to display the TRUSTe logo on their Web site.
The perceived trustworthiness of a certified Web site makes such
certificates an attractive target for Web sites pushing malware and
adware.
In his study, Edelman compared TRUSTe certified Web sites with a list
of known malware sites from McAfee's Siteadvisor product, a service
that black-lists Web sites containing spyware, spam, viruses and
online scams.
Using a base sample of 500,000 Web sites, Edelman determined the
number of sites have TRUSTe certification and cross-checked those
against the McAfee list. Edelman found that 5.4 per cent of the TRUSTe
sites were considered untrustworthy. Only 2.5 per cent of the sites
from the base sample were blacklisted in Siteadvisor.
Edelman alleges that TRUSTe has no incentive to properly verify
compliance with privacy standards.
"Writing tough rules isn't easy, and enforcing them is even harder.
Hard-hitting rules are particularly unlikely when certification
authorities get paid for each certification they issue, but get
nothing for rejecting an applicant." Edelman wrote in a blog posting.
TRUSTe responded that the organization disagrees with Edelman's
findings, stressing that the certification process is thorough and
specific.
"Saying that our sites are more untrustworthy is a stretch," TRUSTe's
marketing director Carolyn Hodge told vnunet.com.
In a blog posting, the organization challenged the notion that
Siteadvisor's blacklist provides an accurate overview of Web sites
that should be considered untrustworthy. The group also pointed out
that Direct-Revenue is no longer certified and that Webhancer will be
required to submit its software for certification to forthcoming
Trusted Download program.
Copyright 2006 NewsFactor Network.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
For more headlines and news, please go to:
http://telecom-digest.org/td-extra/technews.html