If you do business on the Web, you likely depended on SSL certificates to keep the transactions safe. You probably have one on your business site for your customers.
However, the recent ordeal of the United Arab Emirates telecommunications company Etisalat certificate, with embedded malicious code, serves as a reminder that just because a certificate claims to be secure doesn't mean it is trustworthy.
As Sorin Mustaca, manager of international software development at Avira, explained to me:
A Certificate Authority is, by common understanding, an entity having a trust level beyond any doubt. This means that in the case of digital certificates, a CA can generate certificates which are trusted by all parties involved in a communication. Any entity, private or corporate, is allowed to request such a digital certificate, the only proof required is an official identification document. This means that such a certificate can only guarantee that the entity you are communicating with is who she pretends to be. It doesn't guarantee that the owner of the certificate can be trusted.
To help enterprises and their clients better monitor and secure their dealings on the Web, the Electronics Frontier Foundation is launching the SSL Observatory, which is:
a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded a dataset of all of the publicly-visible SSL certificates, and will be making that data available to the research community in the near future.
As Dirk Knop, technical editor at Avira, told me:
Usually, the companies taking all the efforts to buy a certificate are aware of security and are doing their best to act in a secure manner. The case of Etisalat is unique yet - but it's possible that in other non-democratic states, institutions could abuse the trust, too.
To put it short: https is about being connected to the correct server; you need to trust the server owner, a certificate can't judge if the owner is "nice."