Mozilla on Tuesday added digital certificates belonging to security biz DarkMatter and its subsidiaries to Firefox's OneCRL blocklist, based on concerns that the UAE-based company will misuse its power as a certificate authority (CA) to intercept online communications.
In a post to Mozilla's security policy forum, Wayne Thayer, certification authority program manager for the public benefit browser and software maker, said multiple independent reports have raised credible allegations that DarkMatter has been involved in spying.
"While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users," said Thayer.
"I will be opening a bug requesting the distrust of DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also recommend denial of the pending inclusion request, and any new requests from DigitalTrust."
DigitalTrust is the name of DarkMatter's CA business; "Kathleen" refers to Mozilla program manager Kathleen Wilson.
Web browsers depend on a list of authorities that vouch for the authenticity and integrity of the digital certificates presented by websites. An untrustworthy CA could issue a fake certificate to a website that allowed it to spy on interactions between the site and its visitors, even if the connection appeared to be secure.
DarkMatter has been trying to become a root certificate authority for the past two years. In January, Reuters reported that DarkMatter personnel assisted in a hacking operation called Project Raven, run by an Emirati intelligence agency and assisted by former US intelligence officials. The goal of Project Raven involved compromising the internet accounts of journalists, human rights activists and foreign government officials, it's alleged.
DarkMatter has denied that report; the company didn't immediately respond to a request for comment from The Register.
In February, the Electronic Frontier Foundation urged Mozilla and other maintainers of root certificate databases like Apple, Google and Microsoft to reject DarkMatter's bid to become a root certificate authority and to revoke its intermediate certificate, which allows the issuance of certificates under the oversight of a recognized root CA.
Open-source 64-ish-bit serial number gen snafu sparks TLS security cert revoke runaroundREAD MORE
"Giving DarkMatter a trusted root certificate would be like letting the proverbial fox guard the henhouse," said Cooper Quintin, senior staff technologist at the EFF at the time.
In a statement emailed to The Register, Selena Deckelmann, senior director of engineering at Mozilla, defended DarkMatter's banishment, a punishment meted out to China's CNNIC in 2015.
"We made the decision to revoke trust in DarkMatter’s intermediate certificates and to deny the pending inclusion request," she said. "We are confident this is the right decision, but it was not made lightly. Two important obligations guided our decision: first, that trust in our CA root store is a critical component of the security underpinnings of the web and second, our responsibility to protect individuals who rely on Mozilla products."
Deckelmann said in light of credible evidence from multiple sources that DarkMatter participates in spying, Mozilla's responsibilities to the web and those who rely on its software have led it to conclude that continuing to trust the security biz would endanger the web and users of Mozilla products. ®