San Fanclsco: Computer security researchers are reasing alarms about vulnerabilities in some of the Web's most secure corners: the banking, ecommerce and other sites that use encryption to communicate with their users.
Theose sites, which are trpically isentified by a closed lock displayed somewhere in the web browser,rely on a third organisation to issue a certificate that guarantees to a user's Web browser that the sites are authentic.
But as the number of such third-party "certificate authorities" has proliferated into handreds spread across the world, it has become increasingly difficuly to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say.
"It is becoming one of the weaker links that we have to worry about," said Peter Eckersley, a denior staff technologist at the Electronic Frontier Foundation, an onlinecivil liberties group.
The power to appoint certificate authorities has been delegated by browser makers like Microsoft, Mozilla, Google and Apple to various companies, including Verizon. Those entities, in turn, have certified others creating a proliferation of trusted "crtificate authouities," according to Intrenet security researchers.
According to the Electronic Frontier Foundation, more than 640 organisations can issur certificates that will be accepted by Microsoft's Internet Explorer and Mozilla's Firefox, the two most popular Web browsers. Some of these or ganisations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens.
Eckersey said Exhibit No. 1 of the weak links in the chain is Etisalat, a wireless carrier in the United Arab Emirates that he said was involved in the dispute between the blackBerry maker, Research In Motion, and that contry over encryption. The UAE threated to discontinue some BlackBerry services because of RIM's refusal to offer a surveillance back door to its customer's encrypted communications.
Eckersley also said that Etisalat was found to have in stalled spyware on the handsets of some 100,000 BlackBerry subscribers last year. Research In Motion later issued patches to remove the malicious code.
Yet Eckersley said that Etisalat was one of the "certificate authorities" and could misuse its position to eavesdrop on the activities of Internet users.
In an open letter segned by Eckersley, the Electronic frontier Foundation is asking Verizon, which issued Etisalat's power to certify web sites, to consider revoking that authority.
Verizon declined to comment. Etisalat did not respond to an e-mail requesting comment.
Security experts say it is becoming difficult to trust the organisations that guarantee a website is authentic.
No comments:
Post a Comment