In the current web of distrust, malware, and server compromises, convincing an online consumer that a website is secure, can make the difference between a visitor and a buyer. Third-party security seals position themselves as a solution to this problem, where a trusted external company vouches for the security of a website, and communicates it to visitors through a security seal.
In our research, we explore the ecosystem of third-party security seals focusing on their security claims, in an attempt to quantify the difference between the advertised guarantees of security seals, and reality. Through a series of automated and manual experiments, we discover a real lack of thoroughness from the side of the seal providers. Among other things, we show how seals can give more credence to phishing attacks, and how the current architecture of third-party security seals can be used as a completely passive vulnerability oracle, allowing attackers to focus their energy on websites with known vulnerabilities.