There’s been some debate surrounding Comcast’s decision to begin testing a new system that notifies customers of who probably have had their computers taken over.  By in large, the responses have been overwhelmingly positive to the general concept of what Comcast is doing.  But as I pointed out in my previous blog, the concern is that the popup notification mechanism might be spoofed by malicious websites trying to trick users into installing fake security protection software which are actually malware.

With the tools we currently have at our disposal, our options are to use S/MIME email or SSL signed web page.  Those are pretty good technical mechanism (with exception of current null character certificate vulnerability in many X.509 clients such as CryptoAPI) for notifying customers.  The challenge there is that many consumers treat non-signed and signed email or websites the same.  Even if they know they’re supposed to look for the lock symbol, not everyone is going to know if an SSL or S/MIME signed message ComcastNotification.com (which anyone can buy for $10/year right now) or Comcast.somedomain.com is legitimate or not.

Most consumers choose to live with infected computers

Another major concern is that consumers would simply ignore and block future emails and web popups so that they can continue to use their computer.  The fact that they’re spewing malicious payloads all over the Internet may or may not have crossed their mind but at the end of the day that’s someone else’s problem.  Many consumers (I know quite a few personally) know they’re infected with something, but they’re willing to live with it because fixing an old computer is going to cost two hours of expensive labor at a minimum for a fresh OS install and that doesn’t include data backup and recovery.  A lot of consumers simply live with it until they can get a new computer and replace the old and severely degraded computer with malware and crapware loaded to the rim.  Then when they get the new computer, they do the exact same things they shouldn’t have done before and they get infected all over again within a few weeks.

So realistically, the only thing that can/should currently be done is to cut infected users off until they actually fix the problem.  If every ISP did that, it would make consumers a less valuable target to cybercriminals because an infected machine doesn’t stay infected for long.  More importantly, quarantined user don’t need to guess about the legitimacy of the notification because they’ve been cut off and they have to do something about it.

Proposal for a standard notification and response mechansim

What’s really needed is a standardized notification and response mechanism that should work out-of-band from existing web and email systems.  Such a system would have to be functionally distinct from email and web so that users aren’t confused about the notification’s authenticity.  A good solution might be to standardize an out-of-band secure notification method into the web browser, and only trusted network providers who have special digital certificates should be allowed to invoke the system.

The system could work if a digitally signed message was inserted into a non-visible portion of the web page that the user is browsing.  Verified messages would then invoke a non-web interface in the web browser, perhaps in the toolbar section of the web browser.  The message would be shown in this special notification area and it would stay there until the user fills out a confirm receipt form along with a detailed questions list on what the user did to clean the infection.  The response would be sent to an IP address that was specified in the secure notification message.

Once the user confirms they’ve cleaned the infection, the notification system would close.  If the customer’s computer continues to attack the Internet or they ignore the message, Internet access should be closed off until remediation is completed.  If the customer is running a web browser that doesn’t support out-of-band notifications, Internet access could be cut off and all web requests would be redirected to a notification page which has links to remediation resources.