According to a weekend report in the New York Times, because the number of 'certificate authorities' has blossomed into the hundreds, it is becoming "increasingly difficult to trust" that sites are not using the certificates for nefarious purposes.
Reporting on this serious security development, writer Nigel Helft quotes Peter Eckersley, a senior staff technologist with the Electronic Frontier Foundation (EFF) as saying it is becoming one of the weaker links that the industry has to worry about.
The New York Times says that the power to appoint certificate authorities has been delegated by browser makers like Microsoft, Mozilla, Google and Apple to various companies, including Verizon.
"Those entities, in turn, have certified others, creating a proliferation of trusted 'certificate authorities' according to internet security researchers", says the paper.
The EFF is quoted as saying there are now more than 650 organisations that can issue certificates that will be accepted by Microsoft’s Internet Explorer and Mozilla Firefox.
But the bad news, the electronic civil liberties organisation says, is that some of these organisations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens.
"Mr Eckersley said Exhibit No. 1 of the weak links in the chain is Etisalat, a wireless carrier in the United Arab Emirates that he said was involved in the dispute between the BlackBerry maker, Research In Motion, and that country over encryption", noted the New York Times.
As reported previously by Infosecurity, the UAE threatened to block some Blackberry services on its network because of the smartphone maker's refusal to offer a surveillance back door on the mobiles.
The NYT noted that the UAE cellular operator Etisalat was found to have installed spyware on the handsets of some 100 000 BlackBerry subscribers last year and that Research In Motion later issued patches to remove the malicious code.
Despite this curious state of affairs, the EFF told the paper that Etisalat was one of the certificate authorities and could therefore misuse its position to eavesdrop on the activities of internet users.
According to the NYT, in an open letter signed by Mr. Eckersley, the EFF is asking Verizon – which issued Etisalat the facility to certify websites –- to consider revoking that authority.
In its letter, the EFF apparently wrote that Etisalat could issue fake certificates to itself for "scores of websites, including google.com, Microsoft.com and Verizon.com", and "use those certificates to conduct virtually undetectable surveillance and attacks against those sites."
"We believe this situation constitutes an unacceptable security risk to the internet in general and especially to foreigners who use Etisalat’s data services when they travel", says the EFF letter, adding that the foundation does not know whether Etisalat has misused its authority.