SSL 'site seals' are even worse than you thought
Get EV HTTPS certificates in hours, not days. Prechecks before you pay. We do the hard work for you.
July 12, 2021
Site seals promote bad user behavior, have questionable impact on conversions, and make your site boost your CA's SEO. Read on for more.
Why site seals exist
Certificate Authorities (CAs) have a problem: they want to show consumers their branding but can't. The only area of a browser users can actually trust - the address bar - doesn't show the CA's branding. A lock is shown, and extended validation certs show the company ID, but unless the user really likes HTTPS and starts to explore the certificate, that's all. Validation level aside, a Symantec certificate looks like a Comodo Certificate looks like a GoDaddy Certificate. For CAs, that's a problem.
Heads up: we sell certificates, and occasionally get explicit requests from customers for site seals, which we'll happily fulfill. But we don't use site seals, and our management tools don't encourage site seals or mention them at all. Here's why.
Promoting misplaced trust
The report that appears when you click on a site seal mentions SSL, and may also cover additional services like malware scans, site scans, or insurance policies for misissued certificates. The report is presented from a secured site - again, the only part of a browser you can trust is the address bar - and the report's contents are often useful.
However the seal image itself has no security value - site seals are easily copied just like any other image on the internet, and anyone wanting to do something bad wouldn't hesitate to do so. Which is the crux of the issue:
Without such encouragement, it seems the design of the seal exists to make users trust an image. Encouraging users to trust identity information inside the browser's content area harms online security.
Do site seals impact conversions?
Let's look at independent research instead. UserTesting help other companies optimise their user experience. They do this by running large-scale experiments to find out the language, designs, and user experiences that make users convert. UserTesting are not part of the security industry, they're part of the 'helping you sell stuff online' industry. In 2015 they ran 'Optimize Your Web Forms for Maximum Conversion' with Michael Aagaard. If you're interested in online commerce, we recommend the whole series, but the specific part we're interested in occurs at 36:15.
Here's the full quote:
There seems to be a consensus that you just put your site seals on there and conversions are going to go up, and then there might be discussions that some work better than others. But I'd argue that it's much more complex than that, and you need to understand where to put them and how to use them. This is a case study I borrowed from Pep at ConversionExcel, that tested this for one of his clients. This is the original one (left), I'll show you the variation here (right).
He removed some fields, he also treated the copy copy and he also removed the stuff over here (the site seals), so there's multiple things going on.
What I want to show you is that the version without all the other stuff and the site seals converted better.
When you work with site seals it's complex, I've seen this happen in other tests also and I've seen it user tests: sometimes it just becomes clutter. It becomes very hard to get an overview and just scan the page. And clutter is usually not very good for conversion stuff. You can't just assume that sticking some trust symbols on there is going to increase conversions.
Do site seals impact conversions? And in what direction? The study above is a single data point: and you shouldn't take anyone else's results as gospel. There's other independent research that has drawn both similar and different conclusions. Ultimately, someone else's results will never match your own site, you need to test how seals impact your conversions on your own site. You may be surprised with the results.
Site seals help your CA more than you
So: trust seals promote bad user behavior, have questionable impact on conversions, and make your website boost your CA's SEO.
There's are other reasons to dislike site seals: infosec people are likely to boak at a security vendor using the term 'seal' in a non-cryptographic context, and until recently many seals used Adobe Flash plugin, which undermines the stability and security of your site.
Maybe we're just jealous of the big CA's awesome site seals?
We didn't use site seals before we started CertSimple, we still don't use them now. We recommend you do the same.
Thanks to UserTesting for their help compiling this article