EFF Asks Verizon Whether Etisalat Deserves CA Trust

Peter Eckersley writes "Today EFF published an open letter to Verizon, calling for investigation of a trusted SSL Certificate Authority. Etisalat is a majority state-owned telecom of the United Arab Emirates with operations throughout the Middle East. You may remember that last year Etisalat installed malware on its subscribers' BlackBerry phones, and was recently pivotal in the UAE's threat to disconnect BlackBerry devices altogether if Research In Motion did not provide a backdoor for BES servers' crypto. This company, which appears to be institutionally hostile to the existence and use of secure cryptosystems, is in possession of a master certificate for HTTPS, encrypted POP and IMAP, and other SSL-based security systems. Etisalat's CA certificate is not trusted directly by Mozilla and Microsoft, but was instead delegated as an Intermediate CA by Verizon. As a result, we are asking Verizon to investigate whether it is appropriate for Etisalat to continue holding this certificate, and to consider revoking it."

In the old days, telephone

[davidwr]

In the old days, before electronic phones, you could buy a "tap indicator" and know that your phone connection to your local bank was secure against all but the most determined adversary besides the phone company.

Even without such a tap-indicator, you knew that there were a limited number of points where someone other than the phone company could tap without attracting attention - basically, your home or neighborhood to the point where the cables went underground, or the bank and points between it and when the phone cable went underground.

Even before IP-telephony, it took someone with expensive equipment or with the knowledge to break into the telephone switch to tap your conversation without the telco's knowledge.

Now I don't trust my phone any more than I trust my web browser.