Those sites, which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say.
“It is becoming one of the weaker links that we have to worry about,” said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group.
The power to appoint certificate authorities has been delegated by browser makers like Microsoft, Mozilla, Google and Apple to various companies, including Verizon. Those entities, in turn, have certified others, creating a proliferation of trusted “certificate authorities,” according to Internet security researchers.