Encryption's weak link No. 11: Certificates can be faked
Let's say you go to PeteMail.com with an encrypted email connection, and to be extra careful, you click through to check out the certificate. After a bit of scrutiny, you discover it says it was issued by the certificate authority Alpha to PeteMail.com and it's all legit. You're clear, right?
Wrong. What if PeteMail.com got its real SSL certificate from a different certificate authority -- say, Beta. The certificate from Alpha may also be real, but Alpha just made a certificate for PeteMail.com and gave it to the eavesdropper to make the connection easier to bug. Man-in-the-middle attacks are easier if the man in the middle can lie about his identity. There are hundreds of certificate authorities, and any one of them can issue certs for SSL.
This isn't a hypothetical worry. There are hundreds of certificate authorities around the world, and some are under the control of the local governments. Will they just create any old certificate for someone? Why don't you ask them?
Sign up for CIO Asia eNewsletters.