In the last few weeks, Research in Motion (RIM) faced the threat that its BlackBerry smartphones would be banned in the United Arab Emirates and Saudi Arabia, among other countries, because of security concerns. There were reports that Saudi Arabia and RIM had reached a preliminary deal, which raised security and privacy questions about the BlackBerry messaging service, which promises a “secure” e-mail system. NPR reported that problems that could arise for political dissidents or activists if governments gain access to the e-mail system.
Now, Slate takes a look at the issue of Internet security in general, explaining that Web users have a lot to worry about:
To understand how this happened, you need to understand the way much of the Web’s private traffic stays private. Whenever you’re sending sensitive information online—say, your credit card number to Amazon or a message over Gmail—the content is encrypted before being sent and then decrypted by the Web site you sent it to. (Sites using this secure mode have URLs that start with “https,” and browsers add a padlock icon as well to demonstrate you’re communicating securely.) Every vendor has its own rules for how to scramble information so that only it, the intended recipient, can decode it. If anyone intercepts the message along the way, it will appear to be a meaningless digital jumble. […]
But [experts] have also long been aware of a potential weakness in its design: There’s no way for your computer to know if the recipient is who they say they are.. Because of this, cyber-criminals (or curious governments) can trick you by staging a “man in the middle attack,” where the snoop acts as an uninvited mediator between you and the intended recipient. Your computer thinks it’s contacting your bank when in fact it’s contacting the snoop, using his own rules for encrypting information. […]
To overcome this deficiency, the Web’s security relies on the idea of “certificate authorities”: organizations that independently verify the identity of the Web site you’re communicating with and provide a digital confirmation that it’s authentic. […] Middle men can’t fake this authentication without getting a similar endorsement. These certificate authorities are supposed to conduct due diligence in ensuring that only the real Web site gets their stamps of approval. […]
A better solution is to clean up the certificate authority lists and revoke the rights of organizations who could abuse it. The Electronic Frontier Foundation, where I used to work, recently published an open letter to Verizon asking them to consider publicly revoking the certificate authority that the company granted Etisalat. But that still leaves the hundreds of other certificate authorities that could turn rogue and start spying on the Web’s secure systems.