Secure Socket Layer (SSL) certificates have made e-commerce more secure, according to VeriSign, but a US security researcher reckons benevolent rootkits served by the retailer might do a better job.
SSL certificates are issued to merchants by Certificate Authorities to indicate to the consumer it is a legitimate business. The rootkit which Dan Geer, VP and chief scientist at security company Verdasys, has proposed would take over the security function of a customer during a transaction by placing it within the merchant's trusted environment.
Geer proposes that merchants ask their customers whether they would like an "extra special secure connection" prior to making a transaction. If a user says "Yes", the merchant could install the rootkit on a customer's PC to make the transaction safe.
"In other words, you should immediately 0wn their machine for the duration of the transaction -- by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say 'Yes'," explained Geer in a special guest blog for ZDNet Australia sister site ZDNet.com.
The problem with SSL certificates, according to Geer, is that there is an assumption the consumer's PC is trustworthy, which today is untrue -- a quarter to two-thirds of the world's PCs are infected by some form of malware, he said, which is the result of human behaviour and means merchant e-commerce systems are "regularly kissing some infected machine on the lips".
Geer said PC infections -- like venereal diseases -- are a function of people's behaviour, so if a user says "yes", they are likely infected and would therefore benefit from the rootkit. Those that say "no" on the other hand are likely to be unencumbered by viruses and could therefore rely on standard encryption measures.
Want to know more?
-
For all the latest news, analysis and opinion on security, click here
But the world is not black and white
Although Geer reckons his proposed method will have a positive impact on e-commerce safety, VeriSign's regional executive, Ed Elliff, said it would easily be undermined by other rootkit software possibly already installed on the user's PC.
"If you're talking about taking over a PC and installing a rootkit you should remember that you've got cybercriminals creating rootkits that intercept other rootkits," he said.
"Also, you can't really divide the world into two camps like that. Just thinking about my own use, I would be on the "no" side, but my kids would say "yes" and I can't control that. Even if we did have a situation where merchants were always trusted, it's not viable for merchants to interject themselves like that. Seeing things like Apple with iTunes and somehow taking control of a computer and controlling what sites they go to -- no-one likes that."
The real problem comes back to poorly governed issuance of SSL certificates by low-cost Certificate Authorities, said Elliff.
"SSL has done a pretty good job for last 15 years. The technology hasn't been broken but like any technology there are processes which are reflected in pricing ... there are some low cost options where the issuance and validation process is weaker. So it's not safe just to know that a Web site has a digital certificate," he said.
"Some organisations can generate their own so you really have to look behind the fact there is an SSL and who the Certificate Authority is and the process it was issued under."
Is Extended Validation SSL a panacea?Despite the apparent success of SSL certificates, a new standard was ratified in June this year, called Extended Validation (EV) SSL. EV SSL is more costly for a merchant to acquire because Certificate Agents must follow more rigorous procedures to certify the merchant.
However whether EV SSL is a real solution to the problem of shoddily-issued SSL certificates is another matter -- the extra cost involved in gaining EV SSL certification has prohibited many smaller organisations from adopting the standard.
So far only banks and government agencies have applied for EV SSL certificates, leaving consumers at the mercy of the remaining merchants that have acquired certificates by substandard Certificate Authorities.
Elliff warns to not hold out for a "panacea" for e-commerce security, since the real goal should be to "manage", not "eliminate" risk -- an issue which adds further complexity to the job faced by Certificate Authorities.
"The difference between the public sector and commercial enterprise such as banks is that [the latter] are working on risk management. Banks are losing lots of money each month but it's still manageable whereas a lot of government initiatives get caught up trying to eliminate risk rather than have it managed."
Wow - imagine trusted rootkits from company websites whose owners have outsourced the website to some other company. I just can't wait for the court cases - "I bought from you and you crashed my system!". Anyone remember the old "vitamin" proposal of a few years ago - yes, good, well meaning viruses planted in your machine by well meaning do-gooders to help combat Internet transmitted "nasties". Wasn't there a song - "evrything old is new again"?
But it gets worse - this article goes on with the old "chestnut" - always blame the end-user or customer - with the following
"...an assumption the consumer's PC is trustworthy, which today is untrue -- a quarter to two-thirds of the world's PCs are infected by some form of malware, he said, which is the result of human behaviour ."
No - rootkit/virus/trojan infection is a result of integrity failure in basic design of operating systems. By today we should have been well into modernised forms of "mandatory access control" using the excellent segmentation, capability enforcement and protection ring structures (4 rings) of the Intel IA-32 computer architecture - ignored by the industry.
No - no - the problems we have are caused by lack of interest in security design and enforcement in basic operating system structures in the 1990s. This was coupled by a complete disinterest by Governments worldwide in regulation of the IT industry (possibly changing at least in the USA in 2008).
Let's stop blaming the victim - the poor old end-user of our computer systems in the home and office today.