SSL Security Certificates
The privacy and security of Iranian users has also been eroded through the use of Iranian national SSL security certificates. While SSL security certificates ensure the security of the connection between the user and the websites by encrypting the internet traffic, this security is built on trust in the provider of the security.
Any entity issuing a SSL certificate has two “keys” for that certificate—one for encrypting and one for decrypting.
While a company will keep those keys secure, if the state is the issuing body, they also have the ability to decrypt—without the worry of going out of business. Given the Iranian government’s history and record of violations of users’ privacy, trust in the integrity of the certificates would be misplaced. Because they are state-issued, Iran’s national SSL certificates offer only a false security—regardless of the “https” users will see in the address bar. At present, the Iranian national SSL certificate is valid only in Iran and in Iran’s Saina national browser; no other browser currently regards it as valid.
According to Article 32 of Iran’s Regulations of Electronic Commerce Law, the (state-run) Center for Root Certificate Authority (CA)67 is responsible for the authorization to create, sign, issue and revoke the national SSL certificates. The Iranian government will thus control the issuance, use and distribution of the national SSL certificates. Simply put, use of this security certificate–by individuals, websites or mobile applications—will enable state intelligence and security forces to access, surveil, hack and control users’ internet content.
So far, the Iranian government does not appear to have made much headway with its SSL certificates. The last available numbers published on its website68 are from March 2014, and indicate 440,000 copies of Iran’s national Saina browser were downloaded. While the data is several years old, the fact that Iran’s national SSLs are still not recognized as valid by any other browser suggests these numbers have not moved significantly. Nevertheless, If Iran is successful in pushing more users to use them, Iranians’ online privacy will be deeply compromised.