All Those “Seals of Approval” on Websites Don’t Really Mean Anything

By Chris Hoffman on October 24th, 2014

silly-trust-seals-you-can't-actually-trust

You’ll see badges like “Norton Secured,” “Microsoft Certified Partner,” and “BBB Accredited Business” all over the web — especially when downloading software. You shouldn’t blindly trust a website that displays such badges — they’re just images anyone can copy and paste.

Advice like, “If you see a McAfee SECURE seal on a website, you know it’s safe,” is wrong-headed and potentially dangerous. It’s convenient for the companies selling these certifications, but it’s bad advice that could get people in trouble.

Trust Seals 101

These badges — technically called “trust seals” — are just images. Anyone could copy and paste these images and put them on any software download page. Really, we can’t stress this enough. Although a seal of approval might look fancy and official, it’s no different from a statement written out in text. If you saw a scammy-looking software download page that said, “This software was certified virus-free by Symantec!”, would you blindly trust it? Of course not! Of course they’d say that — anyone can write that.

The same goes for other types of badges — they’re just the same thing as writing out ,”We’re an official Microsoft partner,” “CNET gave our software a 5-star editor’s choice rating,” or “We are a BBB accredited business with an A+ rating.” You’d rightly look on these statements with suspicion if the website seemed suspect.

The introduction to this article contains a bunch of seals that we just copy and pasted. Any malware author or phisher could copy and paste these logos in just a few seconds, too. (Luckily, our reproduction of these seals falls under fair use because we’re using them for the purposes of criticism. Someone that copied these seals to mislead people would be violating copyright law.)

website-trust-seals

How Can You Even Verify Them?

In theory, you should be able to click such badges and go directly to the website that provided the seal of approval. The seal-provider’s website would then inform you whether the original website you were on is actually trusted.

That’s how it should work. In reality, there’s often no way to click such badges to check that they’re actually official — even on sites using them for legitimate purposes. If you really are curious if it’s true — whether a software is indeed a “PCWorld editor’s choice” or a company is accredited by the Better Business Bureau — you’ll need to head to the website of the company providing the badge and do a search to find out whether the claims are legitimate.

It goes without saying that most people won’t actually do this research. Instead, these shiny badge images provide a sheen of legitimacy on many software download pages. They may be used correctly by many application developers, but anyone could easily appropriate them for scammy, malicious software — the seals don’t mean anything on their own.

Worse yet, an official confirmation of which sites are legitimate may be very difficult to find. Microsoft certainly doesn’t provide an easy-to-find list of all their “certified partners,” for example. However, some seals you can click — be sure it actually opens the seal provider’s website and not an imposter verification page.

click-a-security-seal

Seals Don’t Mean What You Might Think

You should also consider what the seals actually mean. For example, the “Norton Secured” seal just means the website is having daily malware and vulnerability scans performed on it. The BBB Accredited badge just means the website’s company is registered with the Better Business Bureau. A 5-star rating from a software download site just means a reviewer at some point in the past gave that program a good rating. A “Microsoft Certified Partner” badge is even more confusing and doesn’t seem to mean much at all.

Importantly, these badges don’t mean that Norton, another antivirus company, the Better Business Bureau, or Microsoft have tried the software and placed their stamp of approval on it.

For example, scammy PC-cleaning software “MyCleanPC” displays a “Verisign Secured” badge on their website. This just means they purchased an SSL certificate from Verisign that will be used to secure your payment information when you fall for their tricks and pay up.

Driverupdate.net’s useless driver-updating tool proudly proclaims it’s from a “Microsoft Gold Certified Partner,” but any Microsoft employee worth their salt would recommend against using this tool. Driverupdate.net also has McAfee SECURE certification — it’s not technically malware, so it passes.

mcafee-driverupdate-useless-certification

Trust Green Names in Your Browser’s Address Bar — That’s It

The one thing you can trust is your web browser. If it displays a green name next to your address bar, that confirms the current website has had its identity verified. For example, in the screenshot below, our web browser has confirmed this is the real Bank of America site. Bank of America has gone through an identity verification process. Read more about these “Extended Validation” certificates and how they’re more trustworthy than typical SSL certificates.

Importantly, you can trust this because it’s displayed in your browser. It’s not just an image that can be copy-pasted all over the Internet. An image that appears on a web page really doesn’t identify anything on its own.

And even then, this identity verification just means that website belongs to the company it claims to belong to. It doesn’t necessarily mean the company itself or its software is trustworthy.

bank-of-america-ev-certificate-green-name


Yes, it’s true that a legitimate website displaying a false seal would get complaints and be forced to take it down. But we’re not worried about legitimate sites here — we’re concerned about fly-by-night sites pushing malware and phishing scam pages. Those are the kind of websites that would most benefit from stealing these seals. They’re already breaking the law, so violating the seal-provider’s copyright isn’t a problem for them.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 10/24/14
More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!