Experts warn of a weak link in the security of websites

Advertisement
By Miguel Helft, New York Times | Updated: 5 June 2012 02:26 IST
Highlights
  • Computer security researchers are raising alarms about vulnerabilities in some of the Web’s most secure corners: the banking, e-commerce and other sites that use encryption to communicate with their users.
Computer security researchers are raising alarms about vulnerabilities in some of the Web's most secure corners: the banking, e-commerce and other sites that use encryption to communicate with their users.

Those sites, which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user's Web browser that the sites are authentic. But as the number of such third-party "certificate authorities" has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say.

"It is becoming one of the weaker links that we have to worry about," said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group.

The power to appoint certificate authorities has been delegated by browser makers like Microsoft, Mozilla, Google and Apple to various companies, including Verizon. Those entities, in turn, have certified others, creating a proliferation of trusted "certificate authorities," according to Internet security researchers.

According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft's Internet Explorer and Mozilla's Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens.

Mr Eckersley said Exhibit No. 1 of the weak links in the chain is Etisalat, a wireless carrier in the United Arab Emirates that he said was involved in the dispute between the BlackBerry maker, Research In Motion, and that country over encryption. The UAE threatened to discontinue some BlackBerry services because of RIM's refusal to offer a surveillance back door to its customers' encrypted communications. Mr Eckersley also said that Etisalat was found to have installed spyware on the handsets of some 100,000 BlackBerry subscribers last year. Research In Motion later issued patches to remove the malicious code.

Yet Mr Eckersley said that Etisalat was one of the "certificate authorities" and could misuse its position to eavesdrop on the activities of Internet users.

In an open letter signed by Mr Eckersley, the Electronic Frontier Foundation is asking Verizon, which issued Etisalat's power to certify Web sites, to consider revoking that authority.

Verizon declined to comment. Etisalat did not respond to an e-mail requesting comment.

Mr Eckersley wrote that Etisalat could issue fake certificates to itself for scores of Web sites, including google.com, Microsoft.com and Verizon.com, and "use those certificates to conduct virtually undetectable surveillance and attacks against those sites." Etisalat could also eavesdrop on virtual private networks used by corporations to communicate securely around the world, he wrote.

"We believe this situation constitutes an unacceptable security risk to the Internet in general and especially to foreigners who use Etisalat's data services when they travel," he wrote, adding that the foundation did not know whether Etisalat had misused its authority yet.

Concerns about certificates have been raised before. When Firefox considered granting certificate authority to a Chinese company earlier this year, members of the Firefox community worried that the company might be pressured by the government to eavesdrop, for example, on the Gmail accounts of Chinese dissidents. Eventually, Firefox decided to go ahead with the process.

Other security experts said that they were concerned about the proliferation of certificate authorities.

"I think it is a really big deal," said Stephen Schultze, associate director of the Center for Information Technology Policy at Princeton University. Mr Schultze said that the problem "is not a reason to panic and stop doing online banking or e-commerce. But it is a bad enough problem that it should be receiving a lot more attention and we should be trying to fix it."

Some browser makers, however, suggested that while attacks were possible in theory, the system had worked reasonably well for more than a decade.

"It has proven itself historically to be relatively secure," said Johnathan Nightingale, Mozilla's director of Firefox development. Mr Nightingale said that many e-commerce sites were using a new type of certificate that required extensive verification. If a certificate authority was misusing its power to eavesdrop, he said, a user with technical skills could detect the attack, and the organization's power to issue certificates would be revoked.

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Tecno's Camon 50 Ultra 5G Will Arrive in India on This Date via Amazon
  2. Asus Expands AI PC Lineup in India With Refreshes Vivobook 14, Vivobook 15
  3. Motorola Edge 70 Max to Launch in India On This Day
  4. Sony IER-M500 In-Ear Monitors Launched With 5mm Driver, Hi-Res Audio
  5. Vivo T5 Lite 5G Will Launch in India on This Date
  6. Apple Reviews iPhone 17 Demand as Costs Rise Due to Memory Shortage: Report
  7. OTT Releases This Week: Peddi, Ikka, Balti, Dose, The Westies, and More
  1. Tecno Camon 50 Ultra 5G India Launch Date Announced; Colourways and Amazon Availability Confirmed
  2. Apple Reportedly Reviews iPhone 17 Demand as Costs Rise Amid Ongoing Memory Shortage
  3. Interpol Traces $122 Million Crypto Wallet Connected to Romance Scam Network
  4. Hong Kong's Securities and Futures Commission Tightens Anti-Phishing Standards for Crypto Platforms
  5. Itel Zeno 100 Pro India Launch Date Announced as Company Teases Zeno 100 Lite Arrival, Key Features
  6. Sony RX10 V Compact Camera Launched With 20.1-Megapixel Sensor, 4K 120fps Video Recording and 25x Optical Zoom
  7. Motorola Edge 70 Max India Launch Date Announced; Design, Key Features Revealed
  8. Asus Vivobook 14, Vivobook 15 Refreshed With Intel Core Series 3 Processors: Price, Availability
  9. Call of Duty: Black Ops and Black Ops 2 Ports Released on PS4 and PS5
  10. Samsung Galaxy Z Fold 8, Z Fold 8 Ultra Prices Surface Ahead of Unpacked Launch Event
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.