This Site is Safe from Hackers. Is it really?

Information Security Experts are voicing their opinions about the significant drawbacks and outright misleading marketing associated with tools like ScanAlert and SiteAdvisor.

Antivirus and antimalware developers have been in the spotlight for the last month or so and have been the focus of malware developers for much longer over the plan to run the Race to Zero contest at this year's DefCon in Las Vegas. Now, it might be the turn of companies that produce and promote 'This Site is Safe from Hackers'-style certification and coverage for their clients to share the spotlight.

Since at least late 2006 there have been various small groups of interested Information Security researchers that have turned their attention to the quality (or lack thereof) of service provided to Web sites. Unfortunately for the vendors, the results have been just as embarrassing as the protection coverage provided by common antivirus tools -- great at identifying issues that are fairly old and well known, but deficient when it comes to current vulnerabilities.

Worsening the case for the vendors are accusations that their tools are inconsistent across the same class of vulnerability (XSS or SQL Injection, to name two). These accusations have been backed up with numerous examples where the certification fails to deliver.

Since the end of April there has been an increasing chorus of voices speaking out about the poor performance and sometimes downright misleading marketing associated with these products. With noted Web Security researchers such as Ronald van den Heetkamp, Nate McFeters, Jeremiah Grossman, and Jericho publicly airing their grievances with the state of these tools, more people are beginning to sit up and take note of the difference between reality and marketing for the current state of this technology.

It isn't just these tools under the spotlight, with SiteAdvisor, in-browser malicious site alerts, and other similar tools having similar accusations levelled against them, complete with examples where alerts of malicious activity have been misdirected or completely missed. Even then the tools suggested to address the problems have their own limitations, suggesting that the underlying technological problems still have not been addressed properly.

One of the biggest problems that all tools like this face is that the entire lifecycle of an attack against a site and its users can be complete before the list of 'bad' sites or technology can be updated. This means that users trusting in the tick of approval will be at risk of compromise from a site marked safe and others will avoid a safe site due to an out of date list (even if it is only a few hours old, it is enough). When PayPal publicly had an XSS vulnerability disclosed at the end of last week (with no notice of resolution), at least SiteAdvisor still finds it safe.

That might be the least of the problems for Safari users, though, after "Carpet Bombing" was disclosed earlier this week. Carpet Bombing is being used to describe Safari's automated downloading of files without the user's consent via a newly disclosed technique. Placing files in a known position on a user's system is the first step to system compromise in a number of blended attacks (attacks using more than one vulnerability to achieve the desired result). After Apple declared it a non-security issue, the researcher behind the discovery released it publicly along with another problem, where Safari happily runs scripts from local files. This last issue seems very similar to a zero-day code execution vulnerability for Internet Explorer released last week. In both cases, it would take intentional effort from the user for a system to be affected, but it points to continuing serious security problems for browser developers.

With a rapidly changing online security environment, where threats from attackers and vulnerabilities in browsers can be discovered and globally attacked in hours, tools like ScanAlert, SiteAdvisor, and others in their class will always be reactive to what is known. As the gulf between threat emergence and vendor awareness grows, vendors are always going to be playing a game of catchup. Users should be aware of this when they use the output from these tools in determining if a site is safe or not.

Just in case you were wondering where you should look for guidance on how to keep your site at least relatively safe and secure, or if you are just looking for guidance on what is a threat, OWASP is a good place to start, especially with its Top Ten Guide to web vulnerabilities.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carl Jongsma

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?