The protocol used to enable secure shopping and banking on the internet can also be used to restrict your freedom to choose the hardware and software you use to connect. In fact, it’s already happening.

TLS allows a client (i.e. a web browser) to identify a server and to protect data in transit between the two ends of the connection. Most people are familiar with this in the form of HTTPS web sites; if the server isn’t what it purports to be—or even if it’s just poorly configured—you’ll see an error message.

What fewer people know is that TLS also works the other way round: it can identify the client to the server by means of a certificate installed on the client. This is mainly used by large organisations to reduce the risk of unauthorised computers connecting to their back-end systems.

And that’s all fine. Everyone is safe and secure, right? Unfortunately, there’s a dark side to TLS as well, but it’s one that I hadn’t realised until now.

I won’t go into great details about how public key certificates work. All you need to know is that it’s possible to identify the issuer of a certificate, and it’s effectively impossible to fake a certificate.

So here’s the problem: if a manufacturer supplies a device with their own client certificate already installed, it’s possible for a server to practice selective discrimination based on the manufacturer of the device. It might, for example, decide only to serve devices manufactured by Sony or Apple.

Far fetched?

Alas not. This is, in fact, used by the BBC today to implement the version of the iPlayer used by the Sony PS3 and the Apple iPad. The BBC server at securegate.iplayer.bbc.co.uk accepts only the following certificate authorities:

  • Oregan BBC CA
  • BBC Greenhouse Development Staff CA
  • BBC Greenhouse Production Servers and Services CA
  • Apple iPhone Device CA
  • ADB Root CA – DTT
  • BBC Greenhouse Production Operations CA
  • Sony LFX Project BIVL – Root CA

Don’t believe me? Try it in your browser. (You’ll need a protocol analyser to find the list above.)

This won’t necessarily bother you unless you’re trying to reverse-engineer the iPlayer. However, as a proof of concept of something much more sinister, it’s alarming. We’ve already seen the obsequious level of favouritism given to Apple by the BBC, and they’re not even a commercial organisation.

I imagined that it would be governments that would take away internet freedoms. Between IP geolocation restricted services (taking the world out of world-wide web) and device-locked services, however, I wonder if corporations will get there first.

I don’t know what we can do about it. It’s particularly galling that the BBC is working to destroy the notion of a device-agnostic, protocol-based internet, and using free software to do so.

Anyway, there’s a prize for the first person to extract a working client certificate from an iPad.