id: Гость   вход   регистрация
текущее время 16:53 28/03/2024
создать
просмотр
редакции
ссылки

Это старая редакция страницы Библиотека / Статьи / Certified Lies / Some C As Already Participate In Surveillance за 31/03/2010 15:32.


6. Некоторые УЦ уже участвовали в слежке


6 Some CAs Already Participate

In Surveillance

Much of the power of the compelled certificate cre-
ation attack is due to the fact that it does not require
the cooperation of a friendly CA. While no corpo-
ration can ultimately refuse to comply with a valid
court order, firms with existing, profitable surveil-
lance relationships with the government are perhaps
less likely to vigorously fight those orders when they
do come.

As such, we believe it is worthwhile to highlight

the extremely close ties that several companies with
CA product divisions already have to governments,
and in particular, their regular involvement in and
cooperation with other forms of surveillance.
6.1 VeriSign
VeriSign's certificates are used by more than one
million Web servers worldwide, more than any other
CA. The company claims that the world's 40 largest
banks and over 95% of Fortune 500 companies
choose SSL certificates from it or its subsidiaries
[25]. Thus, of all the CAs, users are probably most
likely to recognize VeriSign's brand name, and per-
haps even associate it with secure electronic trans-
actions.

Those few consumers who have heard of VeriSign

are unlikely to know that the company is involved
in a several other business areas other than its high
profile sale of SSL certificates. Of particular rele-
vance to this discussion is the VeriSign business unit
used by many large telecommunications firms who
have opted to outsource their own surveillance and
government compliance responsibilities. VeriSign's
own marketing materials describe its outsourced
Communications Assistance for Law Enforcement
Act (CALEA) compliance product offerings in some
detail (See Figure 2), and further reveal that ca-
ble giant Cox Communications and VOIP leader
Vonage are among its many satisfied corporate cus-
tomers [26, 27].


Figure 2: The process flow used by the VeriSign Security Office in handling outsourced subpoena requests
(from the company's marketing materials) [24]


A 2004 New York Times profile on
the company's surveillance unit revealed that:

"`All the costs carriers incur are ultimately
going to be passed on to the consumer,'
said Tom Kershaw, vice president for voice-
over-Internet services at VeriSign, which
provides surveillance support for Internet
phone companies.
To make wiretapping possible, Internet
phone companies would have to buy equip-
ment and software as well as hire techni-
cians, or contract with VeriSign or one of
its competitors. The costs could run into
the millions of dollars, depending on the
size of the Internet phone company and the
number of government requests [28]."
We have no evidence to suggest that the CA uni

within VeriSign has ever been compelled by the U
government to produce a certificate for use by in
telligence agencies. Likewise, we have no evidenc
to suggest that VeriSign has ever broken any laws
or improperly disclosed consumers' private data t
government agencies.

Nevertheless, VeriSign, the largest provider o

SSL certificates in the world, whose customers in
clude many foreign banks, companies and govern
ments from countries that do not have friendly rela
tions with the United States, also happens to mak
significant sums of money by facilitating the dis
closure of US consumers' private data to US gov
ernment law enforcement and intelligence agencies
This fact alone may be sufficient to give some foreig
organizations good reason to question their choice o
CA.
6.2 Etisalat
Etisalat is the United Arab Emirates nationa
telecommunications services provider, and operate
in 17 countries across Asia, the Middle East an
Africa. In addition to being the 13th largest mobil
network operator in the world, the company is als
an intermediate CA (trusted by the browsers via
certificate issued by root CA GTE CyberTrust).

In July 2009, approximately 100,000 UAE base

BlackBerry subscribers of Etisalat received
mandatory "performance-enhancement patch" from
the wireless carrier. The patch drew media at
tention after numerous users complained that i
drained their handset battery and slowed perfor
mance [29]. After researchers examined the code
they discovered it actually contained surveillance
software, which monitored outbound email messages
and covertly sent copies of them back to a central
server [30]. While Etisalat and SS8, the US based
company that created and sells the surveillance soft-
ware both refused to comment on the controversy,
RIM (which manufacturers the Blackberry) con-
firmed that the software was being used to covertly
monitor users and quickly released a patch to re-
move the spyware [31].

Again, just as with VeriSign, we have no evi-

dence to suggest that Etisalat has ever issued an
improper certificate in response to a government re-
quest. Likewise, we have no evidence to suggest that
Etisalat has violated the laws of the UAE. It is quite
likely that the company was compelled by the UAE
authorities to deploy the surveillance software to its
customers.

Nevertheless, hundreds of millions of people

around the world, most of whom have never heard of
Etisalat, unknowingly depend upon a company that
has intentionally delivered spyware to its own pay-
ing customers, to protect their own communications
security.


Назад | Оглавление | Дальше