orange
08-30-2010, 02:50 PM
The Internet's Secret Back Door
http://www.slate.com/id/2265204/
Excerpt:
Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more than 60 separate certificate authorities by default. Microsoft's software trusts more than 100 private and government institutions.
Disturbingly, some of these trusted certificate authorities have decided to delegate their powers to yet more organizations, which aren't tracked or audited by browser companies. By scouring the Net for certificates, security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motors—and a UAE mobile phone company called Etisalat.
In 2005, a company called CyberTrust—which has since been purchased by Verizon— gave Etisalat, the government-connected mobile company in the UAE, the right to verify that a site is valid. Here's why this is trouble: Since browsers now automatically trust Etisalat to confirm a site's identity, the company has the potential ability to fake a secure connection to any site Etisalat subscribers might visit using a man-in-the-middle scheme.
Etisalat doesn't exactly have a clean record when it comes to privacy. Tech watchdogs have already caught it deliberately attempting to invade the privacy of its own users. In July 2009, Etisalat abruptly announced a software update on all its BlackBerry customers. Described as a "network upgrade," the application in fact copied all messages written on the device to two private Etisalat e-mail addresses. Research in Motion distanced itself from this clumsy attempt at government spyware, clarifying that it was "not a RIM-authorized software upgrade" and providing a counter-app to remove the program.
http://www.slate.com/id/2265204/
Excerpt:
Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more than 60 separate certificate authorities by default. Microsoft's software trusts more than 100 private and government institutions.
Disturbingly, some of these trusted certificate authorities have decided to delegate their powers to yet more organizations, which aren't tracked or audited by browser companies. By scouring the Net for certificates, security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motors—and a UAE mobile phone company called Etisalat.
In 2005, a company called CyberTrust—which has since been purchased by Verizon— gave Etisalat, the government-connected mobile company in the UAE, the right to verify that a site is valid. Here's why this is trouble: Since browsers now automatically trust Etisalat to confirm a site's identity, the company has the potential ability to fake a secure connection to any site Etisalat subscribers might visit using a man-in-the-middle scheme.
Etisalat doesn't exactly have a clean record when it comes to privacy. Tech watchdogs have already caught it deliberately attempting to invade the privacy of its own users. In July 2009, Etisalat abruptly announced a software update on all its BlackBerry customers. Described as a "network upgrade," the application in fact copied all messages written on the device to two private Etisalat e-mail addresses. Research in Motion distanced itself from this clumsy attempt at government spyware, clarifying that it was "not a RIM-authorized software upgrade" and providing a counter-app to remove the program.