'Friendly rootkits' proposed for safe e-commerce

A security researcher believes benevolent rootkits served by retailers might make e-commerce more secure than SSL certificates
Written by Liam Tung, Contributing Writer

Secure socket layer, or SSL, certificates have made e-commerce more secure, according to VeriSign, but a US security researcher believes benevolent rootkits served by retailers might do a better job.

SSL certificates are issued to merchants by certificate authorities to indicate to consumers that they are dealing with a legitimate business. The rootkit which Dan Geer, vice president and chief scientist at security company Verdasys, has proposed would take over the security function of a customer during a transaction by placing it within the merchant's trusted environment.

Geer proposes that merchants ask their customers whether they would like an "extra special secure connection" prior to making a transaction. If a user answers "yes", the merchant could install the rootkit on a customer's PC to make the transaction safe.

"In other words, you should immediately own their machine for the duration of the transaction, by, say, stealing their keyboard away from their [operating system] and attaching it to a special encrypting network stack — all of which you make possible by sending a small, use-once rootkit down the wire at log-in time, just after they say 'yes'," explained Geer in a special guest blog for ZDNet.com.

The problem with SSL certificates, according to Geer, is there is an assumption, which today is often unfounded, that the consumer's PC is trustworthy. A quarter to two-thirds of the world's PCs are infected by some form of malware, he said, which is the result of human behaviour and means merchant e-commerce systems are "regularly kissing some infected machine on the lips".

Geer said PC infections — like venereal diseases — are a symptom of people's behaviour, so, if a user says "yes", they are probably infected and would therefore benefit from the rootkit. Those that say "no", on the other hand, are likely to be unencumbered by viruses and could therefore rely on standard encryption measures.

World not black and white
Although Geer reckons his proposed method would have a positive impact on e-commerce safety, VeriSign's executive director of sales for the Australia and New Zealand region, Ed Elliff, said it would easily be undermined by other rootkit software possibly already installed on users' PCs.

"If you're talking about taking over a PC and installing a rootkit, you should remember that you've got cybercriminals creating rootkits that intercept other rootkits," Elliff said.

"Also, you can't really divide the world into two camps like that. Just thinking about my own use, I would be on the "no" side but my kids would say "yes", and I can't control that. Even if we did have a situation where merchants were always trusted, it's not viable for merchants to interject themselves like that. Seeing things like Apple with iTunes and somehow taking control of a computer and controlling what sites they go to — no-one likes that."

The real problem comes back to poorly governed issuance of SSL certificates by low-cost certificate authorities, said Elliff.

"SSL has done a pretty good job for the last 15 years. The technology hasn't been broken but, like any technology, there are processes which are reflected in pricing... there are some low-cost options where the issuance and validation process is weaker. So it's not safe just to know that a website has a digital certificate," Elliff said.

"Some organisations can generate their own, so you really have to look behind the fact there is an SSL [to] who the certificate authority is and the process it was issued under," continued Elliff.

Extended validation SSL no panacea
Despite the apparent success of SSL certificates, a new standard was ratified in June this year — "extended validation SSL" (EV SSL). EV SSL is more costly for a merchant to acquire because certificate authorities must follow more rigorous procedures to certify the merchant.

However, whether EV SSL is a real solution to the problem of shoddily issued SSL certificates is another matter — the extra cost involved in gaining EV SSL certification has prohibited many smaller organisations from adopting the standard.

So far only banks and government agencies have applied for EV SSL certificates, leaving consumers at the mercy of the remaining merchants that have acquired certificates through sub-standard certificate authorities.

Elliff warned not to hold out for a "panacea" for e-commerce security, since the real goal should be to "manage", not "eliminate" risk — an issue which adds further complexity to the job faced by certificate authorities.

"The difference between the public sector and commercial enterprise, such as banks, is that [the latter] are working on risk management. Banks are losing lots of money each month but it's still manageable, whereas a lot of government initiatives get caught up trying to eliminate risk rather than have it managed."

Editorial standards