13 September 2011 E-008086/2011
Question for written answer
to the Commission
Marietje Schaake (ALDE) and Sophia in ‘t Veld (ALDE)
Subject: Misuse by third countries of SSL certificates issued by EU‑based certification authorities
It was reported in the Dutch press(1) on 30 August 2011 that the Iranian Government is tapping, or has been tapping, GMail accounts accessed by Internet users from Iran, by means of a fraudulent Secure Sockets Layer (SSL) certificate issued by the Dutch-based certification authority DigiNotar(2). The Iranian Government used fraudulent SSL certificates issued by DigiNotar for the domains google.com, mozilla.com and torproject.org. The certificates enable the Iranian Government to “impersonate” these domains and reroute Internet traffic from them to its own servers. This practice is widely known as a “man-in-the-middle” attack(3). Internet users accessing the domains have consequently, in good faith, provided the Iranian Government with their usernames and passwords, enabling it — without any restrictions and without their prior consent — to tap and access their e-mail account(s) and other services related to the domains. This has endangered the Internet users’ lives, as Iran is well known for its systematic human rights abuses(4); Iran’s actions have also seriously undermined the degree of trust Internet users can have in certified SSL certificates, which has an impact on e-commerce services in general.
1. In the light of Commission Decision 2009/767/EC(5) of 16 October 2009, which relates to the Services Directive (2006/123/EC(6)) and requires the Member States to establish and publish ‘trusted lists’ of certification service providers issuing qualified certificates in accordance with the e-Signature Directive (1999/96/EC(7)), does the Commission agree that extra vigilance is required in order to ensure the greatest possible degree of trust in the companies on these lists, especially given that they are entrusted with the task of monitoring and certifying a significant proportion of the critical infrastructure of the Member States? If not, why not?
2. Can the Commission explain whether there are consequences for (a) the use of fraudulent SSL certificates and/or (b) the issuing of fraudulent SSL certificates? If not, why not?
3. Can the Commission elaborate on whether it is considering (additional) regulation with a view to ensuring trust in the issuing of SSL certificates, without compromising the free and open nature of the Internet?
4. Does the Commission think that DigiNotar has acted in violation of EU and/or UN sanctions imposed on Iran? If not, why not?
5. Is the Commission willing to include the issuing of SSL certificates by EU‑based certification authorities in the soon-to-be-updated Annex I to Regulation (EC) No 428/2009(8)? If not, why not?
6. Does the Commission have mechanisms for monitoring the impact on human rights defenders of ICT and telecom products and services provided from the EU?
7. Is the Commission aware of other regimes which are misusing certificates in order to track and trace human rights defenders?
(5) OJ L 274, 20.10.2009, p. 36.
(6) OJ L 376, 27.12.2006, p. 36.
(7) OJ L 44, 16.2.2000, p. 1.
(8) OJ L 134, 29.5.2009, p. 1.
Please find the answer here.