National (government-issued) SSL security certificates are also a central component of Iran’s National Internet. SSL certificates ensure that the connection used in any Internet transmission is encrypted and thus secure. When they are issued by a legitimate source, they do indeed ensure security. The government is discouraging the use of valid certificates (by occasionally demonstrating their capability to block international SSL certificates, as was done during the disputed 2009 presidential elections, when Iranian users were prevented secure access to sites such as Gmail, Facebook and Twitter), and developing its own national SSL security certificates.

Screen shot of Information Window of the SSL certificates issued by the government, showing their state affiliation.

SSL certificates that are issued by the Iranian government, non-government or private sector organizations controlled by the state, or Iranian security or military agencies will allow those (issuing) organizations to have full access to the online activities of the users. Critically, it will become difficult for users to recognize whether they are using an Iranian government SSL certificate or an international one; while most operating systems and browsers will recognize and alert the user that a SSL certificate is not from a trusted source, if an untrusted SSL certificate is used by enough (unsuspecting) users, these certificates become “trusted” certificates, and are no longer tagged as untrusted. Over time, the process leads to the “root” certification of the SSL certificates, which means they are considered safe.

On November 23, 2013, Iran announced the launch of a service called the “Electronic Trust Mark,” the term they chose for their national SSL security certificate. The Electronic Trust Mark is issued by the Industries Ministry’s Center for eCommerce Development, which gives its stamp of approval to Internet-based communication and transactions.49 After registering with this Center, which is the website of the Electronic Trust Mark, users must go to www.mocca.ir, the website of the Ministry of Industry and Mines, to receive their SSL certificate.

While it is unclear why this particular Ministry was chosen to handle the issuing of Iran’s national SSL certificates, what is important is that it is a government ministry: SSL certificates can be thought of as a lock, and anyone possessing a key can unlock the lock (in other words, break the encryption). The government of Iran, through its issuance and distribution of these certificates, has the key to open—and access—any account that uses the national SSL certificates. The stamp of approval then, which appears to guarantee encryption and security to users, actually just ensures government access to the account.