VeriSign, which provides SSL certificates, has begun offering free malware scanning of its certificate customers' Web servers to make sure their Web sites aren't inadvertently hosting malware that could infect visitors.
The free malware scanning, which VeriSign will make available to customers through the same portal used to manage VeriSign SSL server certificates, is being performed by Armorize Technologies, says Tim Callan, VeriSign's vice president of product marketing. If malware is found on a customer's Web site, VeriSign will turn off the "VeriSign Trust" seal displayed in online searches results until the Web site cleans up its malware infections.
"There are consequences if you didn't clean it up because you are infecting some of your customers," Callan says. VeriSign is taking this new step related to malware scanning in order to have the "VeriSign Trust" seal begin to take on a broader meaning related to Web site security, he adds.
SSL certificates are used as a way to verify a Web site's authenticity, but today's online users may simply override any warnings they receive about the validity of SSL certificates, Callan acknowledges. Displaying the "VeriSign Trust" seal on a malware-infected Web site definitely sends the wrong message, Callan says.
"We are trying to make a stronger statement about a Web site and the safety of a certificate than we made before," Callan says. The proliferation of malware through infected pages on Web sites by attackers shows that "honest businesses are being used as ignorant mules for malware," Callan says. Understanding of malware infection of Web sites and the impact of drive-by downloads remains distressingly low, he adds.
While it isn't mandatory -- not yet, at least -- for VeriSign SSL server certificate customers to use the free Armorize Web-scanning service, declining to use it means that VeriSign will not confirm use of its so-called "Seal-in-Search" technology that lets VeriSign customers display their "VeriSign Trust" seals next to search-engine results to consumers. "If you're not confirmed not to have malware, you're not confirmed for Seal-in-Search," Callan says.
The Armorize-based scans, when used, would be active once daily, though customers could schedule them more frequently if wished. VeriSign will provide customers with details about any infected pages to make cleanup easier. So far, plans call for the malware-detection scans to start at the customer's home page and inspect a few hundred pages, for example, but perform an entire Web site scan if any malware is found.
VeriSign acknowledges that this step into free malware scanning tied to use of its SSL server certificates takes the company into new territory where it may end up with an expanded set of services associated with certificates.