Why web site logos are phony security

Probably the worst possible kind of Internet security we have today is the 'secure site logo'.  I'm not saying that the people behind these schemes are not well meaning, or that they are dishonest.  Far from it.  They are not.

It's actually very hard to get traders anywhere to sign up to a scheme that has rules that limit their ability to sell to anyone, market to anyone, collect as much marketing information as they want about anyone.  And we have to remember that many of these schemes are focused at the whole waterfront of ethical trading behavior - not just the narrow perspective of security.

Personally, I would like to congratulate them all on establishing clear, sound, ethically defensible standards for trading with the consumer and ensuring that these are carried through into practice.

So what is the problem?  Well, it's what they do to prove how honest they are.  You see, anyone can get hold of those logos and put them on their own site.  Worse than that, rogue traders are far more likely to claim these honors - why break only one law?  And claims that logos cannot be copied are unfortunately misleading.  Anything that can be captured by the 'print screen'command can be copied, and any windows that are supposed to appear by clicking on those logos can also be copied.

No doubt I am about to be religiously flamed by irate, and honest traders, demanding to know how they can be expected to do any better.  Everyone knows that Internet security is an oxymoron.  They are doing their best and why can't I respect that.

Well I do.  Except that techniques are becoming available that exploit the much-misunderstood technology of PKI that can actually solve this problem.

PKI (Public Key Infrastructure) is an approach to using cryptography in order to identify individuals over the Internet. Unfortunately, it has been over sold (hyped in American) as being the cure for all known, or even unknown, security ills. Empires (that have since crumbled) were built upon those grandiose dreams.

However, at least one aspect of PKI was, and still is, valid. It does allow for identification. And that is very valuable when it comes to a web trader wanting to make sure the customer really knows it's them, and not some rascal ripping off both them and the public. PKI gives the consumer protection system a method by which they can actually ensure that only the honest get recognized.

Can you do this, and if you can, how?

Well, the first thing that traders need to do is to make sure that they get their trade association (chamber of commerce or whatever) to become a Certification Authority, and then issue certificates to bona-fide members. Members use these to digitally sign the contents of their web site, thus proving that they are genuine. Customers, equipped with software on the PC, can have web pages checked automatically to be sure that the pages (and, by implication, the Logos!) are genuine, and the site really is them.

Easy? Well apparently not. It seems that the idea of letting customers verify who web sites are is a bit novel, and solutions for this are only just coming onto the market.

So this is a message to customers and traders. Look out for solutions that allow customers to be certain that these logos are genuine. Don't just publish and be damned.

Customers - take care to check that the logos really do belong to the people that claim them. It's all too easy to assume that if the company has a nice logo on its site then all is well. Unfortunately there are tools around that let a hacker rip down a web site, and then mount it and run it as if it is the original. If you don't have a security monitor on your PC that is checking that the web site pages are genuine, make sure that the web site address in the field at the top of the browser actually is that of the company it claims to be. Also check that the logo they claim matches the company name in the web site of the issuing organization.

You are all in a market - rather like the old high street markets - you have no idea who you are dealing with! If you can hold the goods you are buying in your hands and make certain of what you are buying then all well and good. If you want to be sure of delivery, seller's and manufacturer's warranty and all those good things, check carefully. With the Internet it can be really hard to tell, until you have your software on your PC doing the job for you.

