Certification, Not A Guarantee Of Malware-Free Websites

Surprisingly, advertisement websites that are characteristic of TRUSTe security certificate are twice as likely to harbor badware than websites, which do not have any security certification. Spyware and adware researcher Ben Edelman provided this view in a recent report on September 26, 2006.

Edelman also claimed that among many adware providers, "Direct - revenue" and "Webhancer" were using TRUSTe certificates to appear more reliable than they actually are. The New York Attorney General is conducting legal action against 'Direct - revenue' for its adware software. According to Edelman, Webhancer is often installed without the user's knowledge.

A so-called certification authority, TRUSTe is an independent organization that certifies websites for security. TRUSTe brings out a 'whitelist' of certified, non-malicious programs used by different companies. Adware authors who want to acquire membership on the list must disclose the kinds of advertisement they display, the private information they intercept and the personal settings they alter. When users commend the applications, an 'uninstall' option shows up, which enables access to the whitelist.

These certificates are proof that the websites adhere to some privacy guidelines, letting users to verify that they are viewing the website they wanted to visit. The independent certification authorities carry out a 'behind the screen' check to verify the individuality of the website's operator and also that he complies with the privacy standards. Websites that satisfy the organization's specifications are permitted to display the TRUSTe logo on their sites.

The apparent belief of trusting a certified website attracts websites distributing malware and adware to aim for such certificates. Under the cover of certification, the adware companies greatly increase their distribution network.

Edelman used a sample of 500,000 websites to determine the number of sites certified by TRUSTe and also crosschecked those against the McAfee list. His results showed that 5.4% of the TRUSTe sites were considered unreliable. Also, 2.4% of the sites were blacklisted in SiteAdvisor.

While it is difficult to write tough rules, it is even harder to enforce them. Certification authorities are particularly unlikely to set hard-hitting rules because they get paid for issuing a certificate. But, if they reject an application, they get nothing out of it.

Related article: Creative Software AutoUpdate Engine Vulnerable to ActiveX Control Fault

» SPAMfighter News - 10/3/2006