The New York Times reports on questions about the security of Web sites, which could allow for surveillance of or eavesdropping on the activities of Internet users:
Computer security researchers are raising alarms about vulnerabilities in some of the Web’s most secure corners: the banking, e-commerce and other sites that use encryption to communicate with their users.
Those sites, which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say. […]
The power to appoint certificate authorities has been delegated by browser makers like Microsoft, Mozilla, Google and Apple to various companies, including Verizon. Those entities, in turn, have certified others, creating a proliferation of trusted “certificate authorities,” according to Internet security researchers.
According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft’s Internet Explorer and Mozilla’s Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens. […]
Concerns about certificates have been raised before. When Firefox considered granting certificate authority to a Chinese company earlier this year, members of the Firefox community worried that the company might be pressured by the government to eavesdrop, for example, on the Gmail accounts of Chinese dissidents. Eventually, Firefox decided to go ahead with the process.