Who’s there to trust? Etisalat’s CA Certificate to be revoked?

Recently, the UAE appeared in the news with some security/privacy related issue; the fact that using encrypted services on the Internet could be a danger to the nation’s security. “The UAE threatened to discontinue some BlackBerry services because of RIM’s refusal to offer a surveillance back door to its customers’ encrypted communications.” [1]

Now, 2 days ago, the Electronic Frontier Foundation, the group defending
your rights in the digital world, requested Verizon in an open letter to revoke the CA (certificate authority) certificate from Etisalat, the nation’s CA. How does all of this work?

Etisalat offers SSL certificates. This can be used to authenticate “SSL” websites, such as https://ebanking.com. An SSl certificate is basically checked for 3 things:

  • Is the certificate still valid or expired?
  • Is the certificate for the correct server? (ebanking.com, can only have a certificate for ebanking.com, not for any other domain)
  • Is it a real certificate (signed by a CA)

The last step is to avoid that one would make a fake certificate, claiming it to be ebanking.com. A certificate authority is a trusted body that verifies the authenticity of the requester. If you can issue “trusted” certificates, you can hijack connections to every SSL page. These include Gmail, hotmail, facebook and every e-banking website out there.

The EFF is concerned that with actions such as the BlackBerry spyware last year, or the recent BlackBerry issues, it questions the trust one can put into Etisalat.

[1] New York Times (2010): http://www.nytimes.com/2010/08/14/technology/14encrypt.html?_r=1


Leave a Reply

Your email address will not be published. Required fields are marked *