Web users in the United Arab Emirates have more to worry about than having just their BlackBerries cracked.

Inside the Internet.
Aug. 27 2010 2:56 PM

The Internet's Secret Back Door

Web users in the United Arab Emirates have more to worry about than having just their BlackBerries cracked.

Etisalat Telecommunications company tower. Click image to expand.
Etisalat Telecommunications

The United Arab Emirates continues to wrestle with Research in Motion over government access to BlackBerry messages, threatening to ban the company's services if it doesn't severely weaken the anti-snooping protections on its smartphones. But years before the RIM battle boiled over, other Western companies handed the country a far greater power: the capability to infiltrate the secure system used by most banking, mail, and financing sites, making the most protected data on the Web available to the prying eyes of the emirates' government-connected telecommunications giant.

To understand how this happened, you need to understand the way much of the Web's private traffic stays private. Whenever you're sending sensitive information online—say, your credit card number to Amazon or a message over Gmail—the content is encrypted before being sent and then decrypted by the Web site you sent it to. (Sites using this secure mode have URLs that start with "https," and browsers add a padlock icon as well to demonstrate you're communicating securely.) Every vendor has its own rules for how to scramble information so that only it, the intended recipient, can decode it. If anyone intercepts the message along the way, it will appear to be a meaningless digital jumble.

Cryptographers are reasonably confident that the mathematics behind this method of encryption makes it unassailable by direct assault, even by the most well-funded intelligence agencies. But they have also long been aware of a potential weakness in its design: There's no way for your computer to know if the recipient is who they say they are. Because of this, cyber-criminals (or curious governments) can trick you by staging a "man in the middle attack," where the snoop acts as an uninvited mediator between you and the intended recipient. Your computer thinks it's contacting your bank when in fact it's contacting the snoop, using his own rules for encrypting information. He decodes it, copies your sensitive data, then re-encodes it according to the bank's rules and sends it along. He does the same thing for traffic coming from the bank to you. Both your bank and you would believe you were talking directly to each other with no one else listening.

To overcome this deficiency, the Web's security relies on the idea of "certificate authorities": organizations that independently verify the identity of the Web site you're communicating with and provide a digital confirmation that it's authentic. A certificate authority's digital endorsement decides whether your browser believes a site when it claims to be GMail, Microsoft, or even the New York Times, which has a secure version. Middle men can't fake this authentication without getting a similar endorsement. These certificate authorities are supposed to conduct due diligence in ensuring that only the real Web site gets their stamps of approval.

Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more than 60 separate certificate authorities by default.  Microsoft's software trusts more than 100 private and government institutions.

Disturbingly, some of these trusted certificate authorities have decided to delegate their powers to yet more organizations, which aren't tracked or audited by browser companies. By scouring the Net for certificates, security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motors—and a UAE mobile phone company called Etisalat.

In 2005, a company called CyberTrust—which has since been purchased by Verizon— gave Etisalat, the government-connected mobile company in the UAE, the right to verify that a site is valid. Here's why this is trouble: Since browsers now automatically trust Etisalat to confirm a site's identity, the company has the potential ability to fake a secure connection to any site Etisalat subscribers might visit using a man-in-the-middle scheme.

Etisalat doesn't exactly have a clean record when it comes to privacy. Tech watchdogs have already caught it deliberately attempting to invade the privacy of its own users. In July 2009, Etisalat abruptly announced a software update on all its BlackBerry customers. Described as a "network upgrade," the application in fact copied all messages written on the device to two private Etisalat e-mail addresses. Research in Motion distanced itself from this clumsy attempt at government spyware, clarifying that it was "not a RIM-authorized software upgrade" and providing a counter-app to remove the program.

To date, no one has observed Etisalat fake a Web site to spy on an individual's encrypted traffic. But because of the proliferation and delegation of certificate authorities, Etisalat and hundreds of other groups have that capability. The good news about misusing the power of certificate authorities is that, like the BlackBerry upgrade, such attacks can quickly be uncovered and publicized, given enough vigilance and the right tools.

A better solution is to clean up the certificate authority lists and revoke the rights of organizations who could abuse it. The Electronic Frontier Foundation, where I used to work, recently published an open letter to Verizon asking them to consider publicly revoking the certificate authority that the company granted Etisalat. But that still leaves the hundreds of other certificate authorities that could turn rogue and start spying on the Web's secure systems.

Ironically, RIM's enterprise BlackBerry encryption is one of the few secure Internet communication channels that doesn't depend on certificate authorities, which could be one of the reasons the UAE is so obsessed with cracking it. RIM's defense against the UAE's demands is that corporations and individuals expect the same level of privacy in their BlackBerry communications as they get from any other Internet service. "Everything on the Internet is encrypted," CEO Michael Lazaridis told the Wall Street Journal, slightly inaccurately. "This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." What's worrying is that the UAE may indeed have already "dealt with" the rest of the Internet—just not in the way that most of us would like.

Like Slate on Facebook. Follow us on Twitter.

Danny O'Brien is the internet advocacy coordinator for the Committee to Protect Journalists. Follow him on Twitter.

TODAY IN SLATE

The World

The Budget Disaster that Sabotaged the WHO’s Response to Ebola

Are the Attacks in Canada a Sign of ISIS on the Rise in the West?

PowerPoint Is the Worst, and Now It’s the Latest Way to Hack Into Your Computer

Watch Little Girls Swear for Feminism

Fascinating Maps Based on Reddit, Craigslist, and OkCupid Data

Education

Welcome to 13th Grade!

Some high schools are offering a fifth year. That’s a great idea.

Culturebox

The Actual World

“Mount Thoreau” and the naming of things in the wilderness.

Want Kids to Delay Sex? Let Planned Parenthood Teach Them Sex Ed.

Can Democratic Sen. Mary Landrieu Pull Off One More Louisiana Miracle?

  News & Politics
The World
Oct. 23 2014 1:51 PM Is This the ISIS Backlash We've Been Waiting For?
  Business
Moneybox
Oct. 23 2014 11:51 AM It Seems No One Is Rich or Happy: I Looked
  Life
Atlas Obscura
Oct. 23 2014 1:34 PM Leave Me Be Beneath a Tree: Trunyan Cemetery in Bali
  Double X
The XX Factor
Oct. 23 2014 11:33 AM Watch Little Princesses Curse for the Feminist Cause
  Slate Plus
Working
Oct. 23 2014 11:28 AM Slate’s Working Podcast: Episode 2 Transcript Read what David Plotz asked Dr. Meri Kolbrener about her workday.
  Arts
Culturebox
Oct. 23 2014 1:46 PM The Real Secret of Serial Has Sarah Koenig made up her mind yet? 
  Technology
Technology
Oct. 23 2014 11:45 AM The United States of Reddit  How social media is redrawing our borders. 
  Health & Science
Bad Astronomy
Oct. 23 2014 7:30 AM Our Solar System and Galaxy … Seen by an Astronaut
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.