Proliferation of Trusted “Certificate Authorities” Demands Audit

The article in NYTimes, August 13, Technology, reads …

“Computer security researchers are raising alarms about vulnerabilities in some of the Web’s most secure corners: the banking, e-commerce and other sites that use encryption to communicate with their users. Those sites, which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say.

“It is becoming one of the weaker links that we have to worry about,” said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group.

“The power to appoint certificate authorities has been delegated by browser makers like Microsoft, Mozilla, Google and Apple to various companies, including Verizon. Those entities, in turn, have certified others, creating a proliferation of trusted “certificate authorities,” according to Internet security researchers.

“According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft’s Internet Explorer and Mozilla’s Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens. “

“Mr. Eckersley said Exhibit No. 1 of the weak links in the chain is Etisalat, a wireless carrier in the United Arab Emirates that he said was involved in the dispute between the BlackBerry maker, Research In Motion, and that country over encryption. The U.A.E. threatened to discontinue some BlackBerry services because of R.I.M.’s refusal to offer a surveillance back door to its customers’ encrypted communications. Mr. Eckersley also said that Etisalat was found to have installed spyware on the handsets of some 100,000 BlackBerry subscribers last year. Research In Motion later issued patches to remove the malicious code.

“Yet Mr. Eckersley said that Etisalat was one of the “certificate authorities” and could misuse its position to eavesdrop on the activities of Internet users. “

Is the problem idiosyncratic, or systemic?  And, like the BP oil spill, is it still leaking information from folks given the license to, apparently, steal.  Well Mr. Eckersley has attempted to address this in this letter from the Electronic Frontier Foundation (EFF):

 

  - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -  
IP Phone Comparison Guide
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -

EFF to Verizon: Etisalat Certificate Authority Threatens Web Security

Technical Analysis by Peter Eckersley

EFF will soon be launching the SSL Observatory project, an effort to monitor and secure the cryptographic infrastructure of the World Wide Web. There is much work to be done, and we will need the help of many parties to make the HTTPS-encrypted web genuinely trustworthy. To see why, you can read the following letter, which we are sending to Verizon today:

(there is also a story in the New York Times)

Dear Verizon,

We are writing to request that Verizon investigate the security and privacy implications of the SSL CA certificate (serial number 0x40003f1) that Cybertrust (now a division of Verizon) issued to Etisalat on the 19th of December, 2005, and evaluate whether this certificate should be revoked.

As you are aware, Etisalat is a telecommunications company headquartered in the United Arab Emirates. In July 2009, Etisalat issued a mislabeled firmware update to approximately 100,000 of its BlackBerry subscribers that contained malicious surveillance software [1]. Research In Motion subsequently issued patches to remove this malicious code [2].

More recently, the United Arab Emirates Telecommunications Regulatory Authority and Etisalat threatened to discontinue service to BlackBerry users, claiming that these devices "allow users to act without any legal accountability, causing judicial, social and national security concerns for the UAE", apparently on account of Research In Motion’s refusal to offer surveillance back doors in its encryption services [3].

These events clearly demonstrate that Etisalat and the UAE regulatory environment within which it operates are institutionally hostile to the existence and use of secure cryptosystems. It is therefore of great concern to us that Etisalat is in possession of a trusted SSL CA certificate and the accompanying private key, which effectively functions as a master key for the encrypted portion of the World Wide Web. Etisalat could use this key to issue itself valid HTTPS certificates for verizon.com, eff.org, google.com, microsoft.com, or indeed any other website. Etisalat could use those certificates to conduct virtually undetectable surveillance and attacks against those sites. Etisalat’s keys could also possibly be used to obtain access to some corporate VPNs.

We believe this situation constitutes an unacceptable security risk to the Internet in general and especially to foreigners who use Etisalat’s data services when they travel.

We do not know whether Etisalat is willing to use its SSL CA keys for surveillance; however, the malicious code that Etisalat distributed last year had been signed by cryptographic keys that gave it access to various security-sensitive parts of the BlackBerry’s API [4][5], indicating a willingness on Etisalat’s part to use other keys for the wholesale subversion of security measures intended to protect users’ privacy.

Because Microsoft, Mozilla, and other browser vendors have chosen to delegate certificate issuing authority to Verizon/Cybertrust, and because Cybertrust in turn chose to delegate this authority to Etisalat, Verizon is now the only party in a position to mitigate this risk to Internet security in a manner that is prompt and minimizes side-effects. We therefore request that Verizon reevalute whether Etisalat is a trustworthy Certificate Authority, and determine whether may be appropriate to issue a new CRL revoking Etisalat’s CA certificate.

 

We’re real curious as to why this status has not been divulged.  The FCC and possibly other agencies ought to demand an audit of all the certificates and authenticate or replace existing certificates to insure they are not compromised.  The cost to replace certificates is minimal compared to the risks.  Anyone have any ideas, let us know.  There will be prizes.

Tek-Tips
No comments yet.

Leave a Reply


*