Your cellphone allows authorities to locate you and uncover your sources. By Danny O'Brien
Cryptographer Bruce Schneier linked to my Slate piece on rogue certificate authorities (CAs), which could allow governments like the UAE to monitor even the supposedly secure communications of journalists and others.
The smart comments include a link to this fascinating discussion at Mozilla that shows the procedures that browser-makers use when deciding which certificates to include in their root store (the list of certificates that the browser will assume are trustable). It looks like the root certificates are supposed to comply with a policy that subordinate CAs must only be used for internal purposes, but there's no way to enforce that.
One solution is to restrict subordinate CAs for use only in a selected set of domain names. That would mean that Etisalat or the Department of Homeland Security or Ford Motors could only use the power of their CA for their own use (and not maliciously to pretend to be Gmail or your bank) - but might be difficult to impose that retrospectively on the unknown number of universal CAs that are now out there.
Do you believe the free flow of information must be protected? Sign the #RightToReport petition and demand that President Obama immediately:
1. Issue a presidential policy directive prohibiting the hacking and surveillance of journalists and media organizations.
2. Limit aggressive prosecutions that ensnare journalists and intimidate whistleblowers.
3. Prevent the harassment of journalists at the U.S. border.
Or click here to see the full petition, and join leading journalists like Christiane Amanpour, The Guardian’s Alan Rusbridger, Editor of the AP Kathleen Carroll, and Arianna Huffington in signing on.