Thursday, April 25, 2013

Certificates, Apple, Microsoft and your life

In the world of the Internets, there is something most people don't know about: Certificate Authorities. Let's explain what they are and how some IT companies are putting people in danger of being tracked down, tortured, and murdered, in addition to empowering authoritarian regimes and undermining democracy.

When you connect to the Internet with a web browser, some websites tell you that the connection between them and you is totally secure, and that your relationship with them is so special that nobody will know what you're telling each other. That's important in cases like banking websites. This confidentiality is generally indicated by a locked padlock displayed near the address of that website in your browser as shown on following screenshots:

The thing is: No website can be trusted to declare itself trustworthy. Otherwise, websites owned by mafias and thugs would claim to be trustworthy too. So, some companies (Certificate Authorities or CA) act as a middleman. Not only do they send you the "padlock information" but they also cipher the communication between you and the target website so that nobody can eavesdrop on your communication. That's how your credit card number can be safe when you buy things online.

For obtaining a certificate (agreement between the website and the CA), the website owner needs first to contact the CA, fill some forms, prove his identity, etc. and of course pay some fee to the CA, but that's normal business. Then the CA does its job to screen the website owner and delivers a certificate to legit people while rejecting the requests from bad people.

So let's take a pause for a quick example! If I am a bad guy and if I want to steal some people's banking information, I could register a website name with almost the same name as the real banking website, with only 1 letter difference. Some people SHALL mistype the website address and land on my nefarious page, which I will make look alike the real thing. Then I just have to sit and wait for people to tell me their name and password... EXCEPT there's no way I would obtain a certificate from a CA, so you won't be fooled by my webpage since I don't have a padlock!

So... CA's are great.

But CA's are the ones who cipher your communication with the websites. So they can know your little secrets. They can also alter the communication on the fly between you and the website. For example, they could pretend to be the website and sending you doctored web pages while never establishing a connection from you to the website. Or they could remove and add content on the fly! If you live in a dictatorship that fights against the color "pink", they might automatically delete (in the pages you browse) all the sentences that include this word or automatically replace "pink" by "orange".

During the Arab Spring in Tunisia, it was discovered that the dictator Ben Ali made use of a subsidiary CA of Microsoft to fake the sense of security of Gmail and Facebook users, steal the logins and passwords, spy on all messages, etc. This allowed him to target, arrest and do bad bad things to people who disagreed with him. Many other countries act in a very similar way. USA would be one of these countries but I'll leave out the details for later.

Now, it's Apple's turn to introduce certificates connected to the American Department of Defense in OS X, iOS5 and iOS6. You might think that you've done nothing reprehensible and that you therefore have nothing to hide and that there's no reason why you should worry about any government knowing everything about you. You would be wrong about that, but that's a story for another lengthy article.


You've learned something about CA. Congratulations!

No comments:

Post a Comment

Creative Commons License
Erik Lallemand's blog by Erik Lallemand is licensed under
a Creative Commons Attribution 3.0 Unported License.