Computer security researchers are raising alarms about vulnerabilities in some of the Web's most secure corners: the banking, e-commerce and other sites that use encryption to communicate with their users.
Those sites, which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user's Web browser that the sites are authentic. But as the number of such third-party "certificate authorities" has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say.
"It is becoming one of the weaker links that we have to worry about," said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group.
The power to appoint certificate authorities has been delegated by browser makers like Microsoft, Mozilla, Google and Apple to various companies, including Verizon. Those entities, in turn, have certified others, creating a proliferation of trusted "certificate authorities," according to Internet security researchers.
According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft's Internet Explorer and Mozilla's Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens.
Mr Eckersley said Exhibit No. 1 of the weak links in the chain is Etisalat, a wireless carrier in the United Arab Emirates that he said was involved in the dispute between the BlackBerry maker, Research In Motion, and that country over encryption. The UAE threatened to discontinue some BlackBerry services because of RIM's refusal to offer a surveillance back door to its customers' encrypted communications. Mr Eckersley also said that Etisalat was found to have installed spyware on the handsets of some 100,000 BlackBerry subscribers last year. Research In Motion later issued patches to remove the malicious code.
Yet Mr Eckersley said that Etisalat was one of the "certificate authorities" and could misuse its position to eavesdrop on the activities of Internet users.
In an open letter signed by Mr Eckersley, the Electronic Frontier Foundation is asking Verizon, which issued Etisalat's power to certify Web sites, to consider revoking that authority.
Verizon declined to comment. Etisalat did not respond to an e-mail requesting comment.
Mr Eckersley wrote that Etisalat could issue fake certificates to itself for scores of Web sites, including google.com, Microsoft.com and Verizon.com, and "use those certificates to conduct virtually undetectable surveillance and attacks against those sites." Etisalat could also eavesdrop on virtual private networks used by corporations to communicate securely around the world, he wrote.
"We believe this situation constitutes an unacceptable security risk to the Internet in general and especially to foreigners who use Etisalat's data services when they travel," he wrote, adding that the foundation did not know whether Etisalat had misused its authority yet.
Concerns about certificates have been raised before. When Firefox considered granting certificate authority to a Chinese company earlier this year, members of the Firefox community worried that the company might be pressured by the government to eavesdrop, for example, on the Gmail accounts of Chinese dissidents. Eventually, Firefox decided to go ahead with the process.
Other security experts said that they were concerned about the proliferation of certificate authorities.
"I think it is a really big deal," said Stephen Schultze, associate director of the Center for Information Technology Policy at Princeton University. Mr Schultze said that the problem "is not a reason to panic and stop doing online banking or e-commerce. But it is a bad enough problem that it should be receiving a lot more attention and we should be trying to fix it."
Some browser makers, however, suggested that while attacks were possible in theory, the system had worked reasonably well for more than a decade.
"It has proven itself historically to be relatively secure," said Johnathan Nightingale, Mozilla's director of Firefox development. Mr Nightingale said that many e-commerce sites were using a new type of certificate that required extensive verification. If a certificate authority was misusing its power to eavesdrop, he said, a user with technical skills could detect the attack, and the organization's power to issue certificates would be revoked.