Aug 13, 2010 20:13 GMT  ·  By

In a letter to Verizon, the Electronic Frontier Foundation (EFF) asks the company to revoke the CA certficate issued to UAE leading telecom provider Etisalat, over fears that it might misuse it to engage in covert surveillance.

We are writing to request that Verizon investigate the security and privacy implications of the SSL CA certificate (serial number 0x40003f1) that Cybertrust (now a division of Verizon) issued to Etisalat on the 19th of December, 2005, and evaluate whether this certificate should be revoked,” the Internet privacy watchdog wrote in the letter.

EFF's concerns stem from an incident in July 2009 when Etisalat, the largest telecom provider in the United Arab Emirates pushed spyware hidden as a system update to its BlackBerry subscribers.

In order to be accepted by the devices, the spying application, which was able to upload emails and messages to a remote server, amongst other things, was digitally signed with a special crypto key.

EFF says this is strong indication of the mobile operator's willingness to misuse cryptographic systems for surveillance purposes and it is in the context that Etisalat being a Certificate Authority is at least worrying, if not dangerous.

Certificate Authorities (CAs) are entities which have the power to generate SSL certificates trusted by all browsers for any domain name, like google.com, microsoft.com and so on.

There are only a handful of root CA certificates included in browsers, but since CA powers can be delegated, the number of such organizations have risen to over 650.

These companies are spread across the world, including in countries like China which have a proven tendency of spying on their citizens.

Because Microsoft, Mozilla, and other browser vendors have chosen to delegate certificate issuing authority to Verizon/Cybertrust, and because Cybertrust in turn chose to delegate this authority to Etisalat, Verizon is now the only party in a position to mitigate this risk to Internet security in a manner that is prompt and minimizes side-effects,” the EFF concludes.