Is Malware Hiding Behind that Certified Site?
A new study warns that Web sites containing security certificates are not necessarily safe. The results were somewhat surprising when Web sites bearing the TRUSTe security certificate were compared against a list of known malware sites from McAfee's Siteadvisor product, a service that black-lists Web sites containing spyware, spam, viruses and online scams.
Web sites that feature the TRUSTe security certificate are two times more likely to contain badware than Web sites without any security certification, spyware and adware researcher Ben Edelman alleges in a new report. Among others, adware providers Direct-revenue and Webhancer are using TRUSTe certificates in an attempt to look more trustworthy than they really are, Edelman claimed. Direct-revenue is facing legal action from the New York Attorney General for its adware software. Edelman alleged that Webhancer often is installed without the user's consent.
TRUSTe is a so-called certification authority, an independent organization that issues security certificates to Web sites. These certificates indicate that service adheres to certain privacy guidelines, allowing users to verify that they are on the Web site that they intended to visit.
The independent certificate authorities perform a background check to verify the identity of the Web site's operator and ensure compliance with the privacy standards. Web sites that meet the organization's criteria are allowed to display the TRUSTe logo on their Web site.
The perceived trustworthiness of a certified Web site makes such certificates an attractive target for Web sites pushing malware and adware.
In his study, Edelman compared TRUSTe certified Web sites with a list of known malware sites from McAfee's Siteadvisor product, a service that black-lists Web sites containing spyware, spam, viruses and online scams.
Using a base sample of 500,000 Web sites, Edelman determined the number of sites have TRUSTe certification and cross-checked those against the McAfee list. Edelman found that 5.4 per cent of the TRUSTe sites were considered untrustworthy. Only 2.5 per cent of the sites from the base sample were blacklisted in Siteadvisor.
Edelman alleges that TRUSTe has no incentive to properly verify compliance with privacy standards.
"Writing tough rules isn't easy, and enforcing them is even harder. Hard-hitting rules are particularly unlikely when certification authorities get paid for each certification they issue, but get nothing for rejecting an applicant." Edelman wrote in a blog posting.
TRUSTe responded that the organization disagrees with Edelman's findings, stressing that the certification process is thorough and specific.
"Saying that our sites are more untrustworthy is a stretch," TRUSTe's marketing director Carolyn Hodge told vnunet.com.
In a blog posting, the organization challenged the notion that Siteadvisor's blacklist provides an accurate overview of Web sites that should be considered untrustworthy. The group also pointed out that Direct-Revenue is no longer certified and that Webhancer will be required to submit its software for certification to forthcoming Trusted Download program.
Copyright 2006 NewsFactor Network.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at. Hundreds of new articles daily. And, discuss this and other topics in our forum at (or) For more headlines and news, please go to: