SSL 'site seals' are even worse than you thought

Get EV HTTPS certificates in hours, not days. Prechecks before you pay. We do the hard work for you.

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

Site seals promote bad user behavior, have questionable impact on conversions, and make your site boost your CA's SEO. Read on for more.

Why site seals exist

Certificate Authorities (CAs) have a problem: they want to show consumers their branding but can't. The only area of a browser users can actually trust - the address bar - doesn't show the CA's branding. A lock is shown, and extended validation certs show the company ID, but unless the user really likes HTTPS and starts to explore the certificate, that's all. Validation level aside, a Symantec certificate looks like a Comodo Certificate looks like a GoDaddy Certificate. For CAs, that's a problem.

So traditional CAs created something called a 'site seal', 'trust seal', 'secured seal', 'trust logo', or 'trust symbol': these are all the same thing: an image showing the CA's brand, and some JavaScript that sets up a click handler to open a report on the CA's website (we'll explain why the JavaScript exists later).

Heads up: we sell certificates, and occasionally get explicit requests from customers for site seals, which we'll happily fulfill. But we don't use site seals, and our management tools don't encourage site seals or mention them at all. Here's why.

Promoting misplaced trust

The report that appears when you click on a site seal mentions SSL, and may also cover additional services like malware scans, site scans, or insurance policies for misissued certificates. The report is presented from a secured site - again, the only part of a browser you can trust is the address bar - and the report's contents are often useful.

However the seal image itself has no security value - site seals are easily copied just like any other image on the internet, and anyone wanting to do something bad wouldn't hesitate to do so. Which is the crux of the issue:

The trust seal UI never encourages users to read the report: merely to trust the presence of the image.

Without such encouragement, it seems the design of the seal exists to make users trust an image. Encouraging users to trust identity information inside the browser's content area harms online security.

Do site seals impact conversions?

Traditional CAs have countless stories about the impact of user trust on conversions. But traditional CAs studies can be questionable.

Let's look at independent research instead. UserTesting help other companies optimise their user experience. They do this by running large-scale experiments to find out the language, designs, and user experiences that make users convert. UserTesting are not part of the security industry, they're part of the 'helping you sell stuff online' industry. In 2015 they ran 'Optimize Your Web Forms for Maximum Conversion' with Michael Aagaard. If you're interested in online commerce, we recommend the whole series, but the specific part we're interested in occurs at 36:15.

"The version without all the other stuff and the site seals converted better...I've seen this happen in other tests also."

Here's the full quote:

There seems to be a consensus that you just put your site seals on there and conversions are going to go up, and then there might be discussions that some work better than others. But I'd argue that it's much more complex than that, and you need to understand where to put them and how to use them. This is a case study I borrowed from Pep at ConversionExcel, that tested this for one of his clients. This is the original one (left), I'll show you the variation here (right).

Removing Site seals increases conversion rate

He removed some fields, he also treated the copy copy and he also removed the stuff over here (the site seals), so there's multiple things going on.

What I want to show you is that the version without all the other stuff and the site seals converted better.

When you work with site seals it's complex, I've seen this happen in other tests also and I've seen it user tests: sometimes it just becomes clutter. It becomes very hard to get an overview and just scan the page. And clutter is usually not very good for conversion stuff. You can't just assume that sticking some trust symbols on there is going to increase conversions.

Do site seals impact conversions? And in what direction? The study above is a single data point: and you shouldn't take anyone else's results as gospel. There's other independent research that has drawn both similar and different conclusions. Ultimately, someone else's results will never match your own site, you need to test how seals impact your conversions on your own site. You may be surprised with the results.

Site seals help your CA more than you

The other reason site seals exist is for SEO: not for your site, but for your CA. Every site seal contains a link with SEO-optimised text - 'SSL Certificate', 'SSL Certificates', 'Free SSL certificate' etc - linking to the CA's sales page. The seal's JavaScript normally makes click events visit the site report, but if a browser doesn't have JavaScript - like most search engines until very recently - the link will read as a straight link to the vendor. The link of course doesn't have nofollow, so it's treated an an endorsing link by search engines. I.e., your website gives you CA's website PageRank.

Your site is effectively endorsing your CA to search engines.

Conclusion

So: trust seals promote bad user behavior, have questionable impact on conversions, and make your website boost your CA's SEO.

There's are other reasons to dislike site seals: infosec people are likely to boak at a security vendor using the term 'seal' in a non-cryptographic context, and until recently many seals used Adobe Flash plugin, which undermines the stability and security of your site.

Maybe we're just jealous of the big CA's awesome site seals?

We didn't use site seals before we started CertSimple, we still don't use them now. We recommend you do the same.

Thanks to UserTesting for their help compiling this article