March 7, 2019

(Don’t) Trust us, we’re 100% secure!

(Don’t) Trust us, we’re 100% secure!

This is TaxHug, a site where the Irish can claim tax refunds.

There couldn’t be much more irony on 1 webpage. This self-proclaimed “100% Secure” website is served over the insecure HTTP protocol, which is nicely shown in the address bar by Google Chrome and most other modern browsers.

More irony in their FAQ:

And it doesn’t stop there, they also have 2 security seals on the bottom of the homepage.

Everyone can put these icons on his website, but if you genuinely obtain the “Norton Secured” seal from Norton Safe Web, in theory it guarantees a few things. This is from Norton’s website.

I beg to differ about these claims. Most major browsers distrust Symantec SSL certificates since the end of 2018. So no site should still use them. Let’s not sugarcoat it, this security seal is worthless and utter nonsense and should be discontinued if it’s still active. It is not only this particular one, in general security seals give users a false sense of trust and can even be used to expose vulnerabilities. This is the conclusion from a research from 2014.

The other seal is from “Verisign secured”. I will not go in detail of this one, but it is also issued by Norton…

Let’s look a bit more into TaxHug’s HTTPS implementation. No HSTS or a redirect from HTTP to HTTPS on this “100% secure” site, so let’s explicitely load it over HTTPS. Google Chrome doesn’t load the website.

If we inspect the TLS certificate we see indeed that it’s from Symantec which is no longer trusted by Chrome.

Luckily most browsers distrust Symantec certificates and prevent the site from loading. This is how it looks in Mozilla Firefox.

When I saw this, I was wondering why they still hadn’t fixed it. Customers must have noticed and reported this over and over again.

Did they maybe instruct their customers to load the site over HTTP only? Which is absolutely a no go, every site must use HTTPS, there’s no excuse for not having HTTPS anymore. But anyway, I tried to create an account over an HTTP connection.

And then I got redirected to the following HTTPS URL.

Luckily the browser prevents me from creating an account over this insecure connection. But this means that almost no one can create an account, unless you use a browser which doesn’t distrust Symantec TLS certificates.

To me this seems something that you want to get fixed straight away. So maybe the website is not actively used and maintained anymore? But also this is not very likely. On the bottom of the homepage you see that the year is updated to 2019.

The last snapshot taken by the Wayback Machine was 2 months ago, on December 28, 2018. At the moment the year on the homepage was still 2018.

Another possibility is that this is a scam or phishing site, that’s no longer been maintained.

Whatever the reason for the current state of this website may be, the lessons learned remain the same:

  • There’s no such thing like “100% secure”, security is not binary
  • Security labels give a false sense of trust, and can make your organization look like a fool when you have obvious security risks on the website hosting them.
  • Marketing and security should work together to reduce harm.