'Friendly rootkits' a must for secure Web shopping?

Secure Socket Layer (SSL) certificates have made e-commerce more secure, according to VeriSign, but a US security researcher reckons benevolent rootkits served by the retailer might do a better job.

SSL certificates are issued to merchants by Certificate Authorities to indicate to the consumer it is a legitimate business. The rootkit which Dan Geer, VP and chief scientist at security company Verdasys, has proposed would take over the security function of a customer during a transaction by placing it within the merchant's trusted environment.

Geer proposes that merchants ask their customers whether they would like an "extra special secure connection" prior to making a transaction. If a user says "Yes", the merchant could install the rootkit on a customer's PC to make the transaction safe.

"In other words, you should immediately 0wn their machine for the duration of the transaction -- by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say 'Yes'," explained Geer in a special guest blog for ZDNet Australia sister site ZDNet.com.

The problem with SSL certificates, according to Geer, is that there is an assumption the consumer's PC is trustworthy, which today is untrue -- a quarter to two-thirds of the world's PCs are infected by some form of malware, he said, which is the result of human behaviour and means merchant e-commerce systems are "regularly kissing some infected machine on the lips".

Geer said PC infections -- like venereal diseases -- are a function of people's behaviour, so if a user says "yes", they are likely infected and would therefore benefit from the rootkit. Those that say "no" on the other hand are likely to be unencumbered by viruses and could therefore rely on standard encryption measures.

But the world is not black and white
Although Geer reckons his proposed method will have a positive impact on e-commerce safety, VeriSign's regional executive, Ed Elliff, said it would easily be undermined by other rootkit software possibly already installed on the user's PC.

"If you're talking about taking over a PC and installing a rootkit you should remember that you've got cybercriminals creating rootkits that intercept other rootkits," he said.

"Also, you can't really divide the world into two camps like that. Just thinking about my own use, I would be on the "no" side, but my kids would say "yes" and I can't control that. Even if we did have a situation where merchants were always trusted, it's not viable for merchants to interject themselves like that. Seeing things like Apple with iTunes and somehow taking control of a computer and controlling what sites they go to -- no-one likes that."

The real problem comes back to poorly governed issuance of SSL certificates by low-cost Certificate Authorities, said Elliff.

"SSL has done a pretty good job for last 15 years. The technology hasn't been broken but like any technology there are processes which are reflected in pricing ... there are some low cost options where the issuance and validation process is weaker. So it's not safe just to know that a Web site has a digital certificate," he said.

"Some organisations can generate their own so you really have to look behind the fact there is an SSL and who the Certificate Authority is and the process it was issued under."

Despite the apparent success of SSL certificates, a new standard was ratified in June this year, called Extended Validation (EV) SSL. EV SSL is more costly for a merchant to acquire because Certificate Agents must follow more rigorous procedures to certify the merchant.

However whether EV SSL is a real solution to the problem of shoddily-issued SSL certificates is another matter -- the extra cost involved in gaining EV SSL certification has prohibited many smaller organisations from adopting the standard.

So far only banks and government agencies have applied for EV SSL certificates, leaving consumers at the mercy of the remaining merchants that have acquired certificates by substandard Certificate Authorities.

Elliff warns to not hold out for a "panacea" for e-commerce security, since the real goal should be to "manage", not "eliminate" risk -- an issue which adds further complexity to the job faced by Certificate Authorities.

"The difference between the public sector and commercial enterprise such as banks is that [the latter] are working on risk management. Banks are losing lots of money each month but it's still manageable whereas a lot of government initiatives get caught up trying to eliminate risk rather than have it managed."