EFF Warns of Untrustworthy SSL, Undetectable Surveillance
When you navigate to a banking or e-commerce site, the little padlock displayed on your browser should mean the website is HTTPS-encrypted and secure. Many sites rely on a third-party certificate authority (CA) to issue a SSL certificate that guarantees the site is authentic. There are hundreds of third party CAs that issue these certificates, and those companies, in turn, appoint others to issue certificates. There are now so many CAs, security researchers warn it’s becoming difficult to trust that a CA who issued the certificate is not misusing it to eavesdrop on users’ online activities.
The Electronic Frontier Foundation (EFF) mapped more than 650 organizations that can issue certificates which will be accepted, directly or indirectly, by Microsoft’s Internet Explorer and Mozilla’s Firefox. The EFF will soon launch the SSL Observatory Project, “an effort to monitor and secure the cryptographic infrastructure of the World Wide Web. There is much work to be done, and we will need the help of many parties to make the HTTPS-encrypted web genuinely trustworthy… Browsers trust a very large number of these CAs, and unfortunately, the security of HTTPS is only as strong as the practices of the least trustworthy/competent CA.”
Some of those CAs are signing unqualified names that are meaningless to assert ownership. The EFF and researchers saw over 6,000 unique valid “localhost” certificates from different issuers like Comodo, Go Daddy, GlobalSign, Starfield, Equifax, Digicert, Entrust, Cybertrust, Microsoft, and Verisign. The research also revealed some interesting subordinate CAs like the Department of Homeland Security (DHS) and Etisalat (Emirates Telecommunications Corporation).
Peter Eckersley, a senior staff technologist at EFF, signed an open letter to Verizon which issued Etisalat’s power to certify Web sites. The EFF is asking Verizon to consider revoking that authority, since Etisalat may be an “unacceptable security risk to the Internet in general and especially to foreigners who use Etisalat’s data services when they travel.”
Here is a part of EFF’s open letter about the problem with Etisalat.
As you are aware, Etisalat is a telecommunications company headquartered in the United Arab Emirates. In July 2009, Etisalat issued a mislabeled firmware update to approximately 100,000 of its BlackBerry subscribers that contained malicious surveillance software. Research In Motion subsequently issued patches to remove this malicious code.
More recently, the United Arab Emirates Telecommunications Regulatory Authority and Etisalat threatened to discontinue service to BlackBerry users, claiming that these devices “allow users to act without any legal accountability, causing judicial, social and national security concerns for the UAE”, apparently on account of Research In Motion’s refusal to offer surveillance back doors in its encryption services.
These events clearly demonstrate that Etisalat and the UAE regulatory environment within which it operates are institutionally hostile to the existence and use of secure cryptosystems… Etisalat could use this key to issue itself valid HTTPS certificates for verizon.com, eff.org, google.com, microsoft.com, or indeed any other website. Etisalat could use those certificates to conduct virtually undetectable surveillance and attacks against those sites. Etisalat’s keys could also possibly be used to obtain access to some corporate VPNs.
Now we wait for Verizon to answer or to act. Meanwhile, the SSL Observatory prepares to launch. EFF presented this topic at DefCon 18. Here is the slide deck which shows their presentation. Research of the SSL Observatory project was a collaboration between EFF and Jesse Burns at iSEC Partners.