Tech

Mozilla bans surveillance vendor from Firefox certificate whitelist

Mozilla declines DarkMatter's application to have its root certificates included in Firefox's root store.

Written by Catalin Cimpanu, Contributor July 9, 2019 at 1:00 p.m. PT

Image: Mozilla

TechRepubli

Cheat sheet: TensorFlow, an open source software library for machine learning

Read now

Mozilla will not trust certificates issued by a company accused of selling surveillance and hacking services to oppressive regimes in the Middle East.

The browser maker announced today that it will not include the root certificates of a controversial company named DarkMatter inside Firefox's root store -- the browser internal list of entities approved to issue TLS certificate for securing signing encrypted HTTPS traffic.

Wayne Thayer, Certificate Authority Program Manager at Mozilla, made the formal announcement today.

Besides declining the inclusion of DarkMatter's root certificate inside Firefox, Thayer also said that Mozilla will be distrusting six intermediate certificates owned by QuoVadis, which DarkMatter was using as a temporary mechanism to issue TLS certificates to its customers.

If DarkMatter's root certificate would have been included in Firefox, it would have allowed the company the ability to issue TLS certificates that would have certified fake websites as legitimate ones.

Many cyber-security experts and privacy advocates warned Mozilla that DarkMatter would abuse this position to help its surveilannce operations. Some of these operations have been previously detailed in reports from Reuters, the New York Times, The Intercept, and other sources. The linked news article detail alleged DarkMatter-orchestrated hacking operations against human rights activists, journalists, and foreign governments, which DarkMatter carried out at the behest of the United Arab Emirate' government.

DarkMatter previously contested the reports. A company spokesperson did not reply a request for comment from ZDNet sent earlier today.

Last ditch effort to spin off CA business didn't work

As a last ditch effort to have its certificates trusted inside Firefox, DarkMatter tried to spin off its Certificate Authority (CA) business as a separate entity called DigitalTrust.

However, the move came too late, and Mozilla engineers didn't buy it, claiming that both DarkMatter and the new company were run by the same CEO.

Taking this into consideration, along with the previous news reports about the company's surveillance operations, Mozilla announced its decision earlier today in a Google Groups discussion.

"Our foremost responsibility is to protect individuals who rely on Mozilla products," Thayer said.

"I believe this framing strongly supports a decision to revoke trust in DarkMatter's intermediate certificates. While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users.

"I will be opening a bug requesting the distrust of DarkMatter's subordinate CAs [...]. I will also recommend denial of the pending inclusion request, and any new requests from DigitalTrust."

Once Mozilla removes the QuoVadis intermediary certificates from Firefox in a future update, all websites that use TLS certificates acquired from DarkMatter will show full-page HTTPS errors in Firefox, warning and blocking users from accessing their content.