Who’s there to trust? Etisalat’s CA Certificate to be revoked?


Recently, the UAE appeared in the news with some security/privacy related issue; the fact that using encrypted services on the Internet could be a danger to the nation’s security. “The UAE threatened to discontinue some BlackBerry services because of RIM’s refusal to offer a surveillance back door to its customers’ encrypted communications.” [1]

Now, 2 days ago, the Electronic Frontier Foundation, the group defending
your rights in the digital world, requested Verizon in an open letter to revoke the CA (certificate authority) certificate from Etisalat, the nation’s CA. How does all of this work?

Etisalat offers SSL certificates. This can be used to authenticate “SSL” websites, such as https://ebanking.com. An SSl certificate is basically checked for 3 things:

  • Is the certificate still valid or expired?
  • Is the certificate for the correct server? (ebanking.com, can only have a certificate for ebanking.com, not for any other domain)
  • Is it a real certificate (signed by a CA)

The last step is to avoid that one would make a fake certificate, claiming it to be ebanking.com. A certificate authority is a trusted body that verifies the authenticity of the requester. If you can issue “trusted” certificates, you can hijack connections to every SSL page. These include Gmail, hotmail, facebook and every e-banking website out there.

The EFF is concerned that with actions such as the BlackBerry spyware last year, or the recent BlackBerry issues, it questions the trust one can put into Etisalat.

[1] New York Times (2010): http://www.nytimes.com/2010/08/14/technology/14encrypt.html?_r=1

3 Comments

  • August 15, 2010 - 11:22 am | Permalink

    I just can’t believe this part
    “If you can issue “trusted” certificates, you can hijack connections to every SSL page. These include Gmail, hotmail, facebook and every e-banking website out there.”
    Is that really true??!!!!!!!
    This should end the myth of SSL then
    back again to the question “Who’s there to trust?” I would think, no one

  • August 15, 2010 - 12:20 pm | Permalink

    If you control a country’s mandatory proxy, you could push say https://hotmail.com to another page. Say if you’d to do this with a self signed SSL cert, you would normally get a “SSL error”. Then it’s up to human stupidity to continue or not.

    To avoid this, a CA only issues certificates for verified bodies. (eg: You cannot get a cert for hotmail.com). If a CA would indeed issue certificates for other reasons, you won’t really know who you’re talking to. Unless you keep track of the certificate information – if that all of the sudden changed, it might be phoney.

    SSL’s myth is not broken, SSL’s used for encryption (which still works) and authenticity. You want the correct “remote server” to decrypt your information.

  • Jay
    August 16, 2010 - 11:26 am | Permalink

    It usually comes down to what people believe. Sure a CA needs to be there to increase trust. Still if you find a flaw there or like recently blackmail / hijack / … a trusted SSL Cert from a know company then you are screwed (if you don’t pay attention)

    Most of the time people just click and surf without thinking what they are doing , honestly most people just don’t care. Lack of general education and awareness ?

  • Leave a Reply

    Your email address will not be published. Required fields are marked *