Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Asks Verizon Whether Etisalat Deserves CA Trust

Posted by timothy on from the suuuuuure-they-do dept.

Peter Eckersley writes "Today EFF published an open letter to Verizon, calling for investigation of a trusted SSL Certificate Authority. Etisalat is a majority state-owned telecom of the United Arab Emirates with operations throughout the Middle East. You may remember that last year Etisalat installed malware on its subscribers' BlackBerry phones, and was recently pivotal in the UAE's threat to disconnect BlackBerry devices altogether if Research In Motion did not provide a backdoor for BES servers' crypto. This company, which appears to be institutionally hostile to the existence and use of secure cryptosystems, is in possession of a master certificate for HTTPS, encrypted POP and IMAP, and other SSL-based security systems. Etisalat's CA certificate is not trusted directly by Mozilla and Microsoft, but was instead delegated as an Intermediate CA by Verizon. As a result, we are asking Verizon to investigate whether it is appropriate for Etisalat to continue holding this certificate, and to consider revoking it."

5 of 135 comments (clear)

  1. Revoke time by ewanm89 · · Score: 4, Insightful

    Time to revoke Verizon certificates on my computers.

    1. Re:Revoke time by bertok · · Score: 5, Insightful

      In part, this problem might be solved by DNSSEC.

      Unfortunately not, because the decision makers of internet security protocols are all greedy pigs who want to charge you money for a service that you can do yourself for free.

      From day 1, the HTTPS CA and DNS CA systems should have been one and the same.

      That is, not tying the two systems together is a gaping security hole that means that even if you control a domain, someone else can issue certificates for that domain and the users can't tell.

      DNS should have had a CA hierarchy built into it from the beginning, so that if you own 'google.com', you can issue a cert for it for free as easily as creating a record, and if anyone else tries to do the same, they won't get very far because they can't create a cert signed by *your* DNS domain key.

      There's so much more money to be made however by taking the CA control out of the hands of the DNS domain admins and putting it in the hands of some corporation.

  2. Re:Need levels of certification by Rich0 · · Score: 4, Insightful

    - "self-signed" certificates, which we already have and which aren't worth much more than the bits that carry them unless you have some independent way to trust them.

    I'll disagree with this. They're worth at least as much as the bits used to transport non-SSL traffic, which is about 90% of the traffic on the internet.

    For some reason we have a model which treats encrypted and non-authenticated traffic as being less secure than unencrypted and non-authenticated traffic. This is completely backwards.

    Sure, browsers shouldn't treat these the same as trusted SSL connections, but they shouldn't generate warnings for it that they wouldn't generate for non-SSL traffic. Worried about MITM? Well, if I wanted to MITM your connection I'd just open a non-SSL connection to your browser and an SSL connection to the bank, and your browser wouldn't complain one bit.

  3. The system is broken by TuballoyThunder · · Score: 4, Insightful
    There are so many trusted certificate signing authorities that I believe the trust system is untrustworthy. I counted over 40 certificate authorities in Mozilla and I did not make it past the letter "I' in the list of trusted CA's. Throw in the intermediate CA's and the problem gets worse. Lets assume that all CA's are trustworthy. Furthermore, assume that there is a 1 in a million chance for any individual CA in any given year to make a mistake. A system of 100 CA's would have a 1 in 10,000 chance of making a mistake. Many of the CA are regionally focused and it makes no sense why a user should trust all CA's equally.

    The following changes could be useful:

    • selectively prune the trust hierarchy
    • flag certificates that change (there are addons)
    • specify the maximum path length you are willing to trust
    • Be able to assign a trust weight to a CA
  4. Re:Proves that certs are useless in the real world by DavidTC · · Score: 4, Insightful

    Exactly.

    Even in a WoT model, most people would not really use it. They'd use the hundred or so big list that came with the browser, consisting of major banks and whatnot. And the first time they went to amazon, the browser would popup a message and say 'According to 100,000 other users, this cert is legitimate. Trust Yes/No?' and they'd say yes.

    The current system is so entirely broken it's a good thing we don't actually need need certs in the first place...99.999% of the time, we just need damn encryption. MitM is such an order of magnitude more complicated than sniffing it's crazy we've decided to care about it that much.

    Now that we have DNSSEC actually up and running, I wish we'd invent some sort of 'Here is my SSL cert fingerprint' DNS record. Then people could just make their own cert (Which should be easier and not require them to also make a CA.) and stick the fingerprint in their DNS. (This would work without DNSSEC also, but with DNSSEC it's secure.)

    --
    If corporations are people, aren't stockholders guilty of slavery?