The Iranian government has employed two means to ensure the widespread use of its national SSL security certificates (and thus achieve their root certification). One is through the Iranian web browser, Saina, which is provided by state agencies and into which the authorities have built the national SSL certificates.

Screen shot of Information Window for Iran’s national browser, showing it is based on Firefox.

Saina is central to the success of the government-issued SSL certificates (and thus the government’s ability to gain access to content flowing across its National Internet) because Saina uses the SSL certificates issued by the Iranian government. Indeed, Iran’s national SSL certificates are valid on no other browser and thus their integration into Saina is critical to their use.

Thus if an individual uses, for example, FireFox, Safari, Google Chrome or Microsoft IE to access Iran’s national SSL certificate provider site, https://www.enamad.ir, he or she will receive a message warning them that they are using an invalid, or “untrusted” SSL security certificate. If the individual opens the same site with Iran’s national browser, Saina, however, he or she will get no warning message.

As more and more people use Iran’s Saina browser—and the state-issued SSL certificates contained therein—the national certificates become recognized as trusted, due to their increased usage. This process is particularly insidious, because at a certain point, root certification is achieved and computers will no longer show an error message when using these certificates. The national SSL certificates will thus allow the Iranian government to have access to the online activities of users without their knowledge.

Screen shot showing that Iran’s national browser will not show a warning message (indicating an untrusted certificate is being used) when Iran’s national SSL certificates are used on it.

Hamid Reza Hadipour, the deputy manager of the Center for eCommerce Development in charge of the Electronic Trust Mark program, has said that more than 25,000 certificates were issued in 2011. Since then, the number of these certificates has reached 100,000.

In an interview with itanalyze.com, Hadipour also predicted that “with the installment of new systems and increased distribution of [the national SSL] certificates, the goal of issuing 500,000 certificates would be reached in 2014.” That is a small number compared to the millions of non-governmental certificates currently used by Iranians online, but it is increasing at a rapid rate.

The ability of the authorities to access account content can have catastrophic consequences. Online content retrieved by the authorities has frequently been used as the sole “evidence” to convict individuals of national security-related crimes and sentence them to lengthy prison terms. In a judicial system routinely marked by denial of due process and the lack of fair trial standards, and in the absence of legal protections or regulations to keep the security agencies in check, the government’s ability to access accounts thus poses grave security risks to users.