The Electronic Frontier Foundation (EFF) is warning that state agencies are probably able to routinely eavesdrop on SSL-encrypted internet connections. They refer to a draft research paper in which researchers Christopher Soghoian and Sid Stamm summarise the evidence for this supposition and describe a possible defensive strategy.
The two researchers are not able to provide any hard facts. They start by stating that many governments routinely compel companies to cooperate with surveillance measures. In the USA, the statute which allows companies to be compelled to assist with such measures is "remarkably broad". According to the researchers, these statutes have been used to, for example, compel a SatNav manufacturer to activate the built-in microphone in one of its devices in order to record conversations in a vehicle. VeriSign, the largest provider of SSL certificates, is, according to the paper, also involved in outsourcing telecommunications surveillance.

They conclude that government agencies must therefore also be able to compel certification service providers such as VeriSign to issue arbitrary SSL certificates. In many countries, there are government certification authorities (CA) which are stored as trusted root instances in all of the common browsers. Internet Explorer, Firefox, Safari and Chrome blindly trust more than 100 root certificates, including certificates from VeriSign, Deutsche Telekom and network administration agency CNNIC, which is controlled by the Chinese government.

If a web server presents a certificate signed by one of these bodies, the user is informed that the connection is trusted by means of a padlock symbol or a green address bar. But the SSL concept is based on the trustworthiness of CAs. Anyone with a copy of the secret key for a root certificate or a major CA's intermediate certificate can spoof SSL on the fly and eavesdrop on encrypted connections.

The link for this article located at H Security is no longer available.