Jeff Lawson blogged last week about problems with a TRUSTe certified site, iGive.
Briefly, Jeff found a number of problems with iGive’s security model:
- Unauthenticated autologin URLs
- Insecure cookie logins
- Insecure charity details
- Insecure member listing
While TRUSTe did ultimately take action on Jeff’s security issues (and according to Jeff, they did understand the issues and did communicate to iGive), Jeff adds some additional color in an email exchange:
At least in my case, TRUSTe was effective in getting some action from iGive, after months of inaction after attempting to work with them directly. TRUSTe’s staff were able to understand the seriousness of the issues and made efforts to reproduce my claims before passing them on.
My main complaint with TRUSTe is with the fact that they intentionally avoid taking any role in auditing their member companies, even at the most superficial levels. I don’t believe TRUSTe would have even recommended that iGive conduct their own general security audit if I hadn’t suggested it. If TRUSTe doesn’t want to take the responsibility of performing security audits, perhaps they should place a membership requirement for periodic external reviews by a designated security firm. Watchdog complaints seem to unreasonably require the reporter to satisfy the burden of proof upon the reporter before any action is taken.
The lack of full transparency around the corrective actions done is a little disappointing, though probably not unreasonable since it usually involves the PR image of their member companies.
You can view Jeff’s blog post here.
TRUSTe recently went for-profit, which only opens the door more potential weakness in the face of a paying client. On the other hand, they did hire the highly-respected researcher Sandi Hardmeier as one of their online watchdogs/security researchers — something which shows an increased vigilance in policing their certified companies.
(Now, in fairness, I understand that security audits may not be economically feasible at their current rates, but perhaps there are other methods — like having a TRUSTe “Audited” seal, denoting a higher level of security in a site.)