Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions

Walking on thin ice…

Created: 03 Jul 2013 • Updated: 20 Aug 2013 • Translations available: Français, Deutsch
Andy Horbury's picture
+1 1 Vote
Login to vote

A friend of mine called me last week (I’m the de facto security/IT guy in my circle of friends) her question was what to do when faced by the message below as it was something she’d not seen before. The warning message as you can see below says that the site may no longer be secure because of an expired SSL certificate.

expired-certificates.jpg

My immediate answer was that under no circumstances should she ever proceed. If in doubt go to another site, visit their bricks and mortar address, try calling or emailing the store. But do not use the website. The answer I got back from my friend was quite surprising……after enquiring what the issue was via Twitter, she was told by a representative of the site “This warning is nothing to worry about”. After sitting down to consider this I realised what horrendous advice this was. Why would a trusted site decide to offer such strange advice?

Reason number 1: The site doesn’t want to lose any customers

Reason number 2: The site does not understand the fundamentals of building consumer trust and therefore give their customers misguided advice

Reason number 3: They are ignorant of the ramifications of people taking this kind of bad advice.

I defaulted to reason number three and berated the site owners in question. I then started to look into this particular issue and the site in question to see what had happened, and in this instance it was an oversight by the team managing the ecommerce site; they had an unexpected certificate expiration and were trying to mitigate the impact and cover up for what was an unfortunate oversight. However to offer advice and tell customers to ignore the warning goes against any sensible best practices. Would they say the same thing the next time one of their customers receives an email asking the customer to reveal their credit card details and home address? I’d like to think not. How about if their site had been infected with malware? We know that Sixty-one percent of malicious sites are actually legitimate websites that have been compromised and infected with malicious code. Business, technology, and shopping websites were among the top five types of sites hosting infections in 2012 (source: Symantec ISTR 2013 and my PC antivirus picked this up and blocked the site – would their advice be to ignore that warning too and continue?

Extreme examples perhaps, but I believe advising users to ignore security warnings is a bad practice and eCommerce vendors should not do anything to erode online trust by asking a user to ignore a warning designed for their protection.

So what’s my advice to my friend and to the greater public? Complain! And complain like hell. Use live chat, use the phone number published elsewhere on the web, use social media, shame those people who are abusing your trust and potentially endangering you. Demand that the site needs to convince you to use their site – they should be displaying a trust sign such as the Norton Secured Seal, they should show users that they have scanned and are free of any malware. Let them know you’re not going to do business with them while your browser is showing any warnings about the safety or security of their site. Consumers have a lot of power and if we complain and then vote with our feet these sites should get the message. Of course there are many of us who would close down a site as soon as seeing a warning, but there are also those who are just not certain, and it’s these users that are being callously fooled by such terrible advice as to ignore a valid security warning.

If as an industry we repeatedly encourage users to ignore warnings then we run the risk of devaluing trust and security online (and why when online is such a big opportunity would you want to take such a risk?). The security industry is doing its best to create warnings and safeguards within the tools that people use to conduct their business online. No one that works as part of that industry should ever tell someone to ignore a warning. An eCommerce site that advises a customer poorly deserves to lose that customer. Because once trust is gone it’s almost impossible to win it back, and unfortunately at that point we all lose.