Skip to main content
banner image
venafi logo

Mozilla and Google Come Down on the Side of Privacy [DarkMatter]

Mozilla and Google Come Down on the Side of Privacy [DarkMatter]

hand prying through window, privacy
July 30, 2019 | Katrina Dobieski

 

Just a few weeks ago, Mozilla added DarkMatter-issued certificates to Firefox’s OneCRL blocklist and rejected its inclusion into its trust store. This inserts some punctuation in a lengthy industry debate as to the ethics of allowing suspiciously connected entities to run the gauntlet on the internet



 

The Debate



DarkMatter has been vying to become a root certificate authority for two years, and the blow was met with a formalized appeal. Specifically, six intermediate DarkMatter (“DigitalTrust”) CAs have been removed from the Firefox whitelist, under the name QuoVadis.
 

As stated by Venafi’s Kevin Bocek, VP of security and threat intelligence, “[DarkMatter] is operating according to spec. They've got great staff. ..They've got the best.”

 

[Above Image: A day at the office, DarkMatter]
 

When it comes to standards and compliance, “[DarkMatter] will likely meet those standards” affirms the Electronic Frontier Foundation (EFF), initial heralds of the warning cry to Mozilla, Apple, Microsoft and Google. “But the standards don’t take into account an organization’s history of trying to break encryption, or its conflicts of interest.”
 

As of last year, links had been drawn between illicit Project Raven and the overseas CA. The clandestine operation paired United Arab Emirate operatives with former NSA members to spy on and track political dissidents, journalists and activists. The spotless reputation of the otherwise above-board certificate authority had been difficult to maintain ever since.
 

"While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users," finally concluded Wayne Thayer, certification authority program manager for Mozilla.

 

Mozilla and Google Put a Stake in the Ground for Privacy



Kathleen Wilson, Mozilla’s program manager, stated in a thread to fellow Mozilla employees, “I concur with Wayne’s recommendation...to add DarkMatter’s existing intermediate certificates to OneCRL and decline DarkMatter’s root inclusion request.”

 


Google must have concurred as two weeks later, they did the same thing.
 

DarkMatter-issued TLS certificates will soon be absent from Android, Chrome and Firefox trust stores.  The secure HTTPS connections affected will now show an error message once the ban is implemented.


With Google’s move, the momentum takes a hard shift in the direction of erring on the side of privacy when it comes to trust.

 

Said Wilson, “I agree with [coworker Gijs Kruibosch] ...that [an] applicable analogy is being a guarantor on a large loan...you should never ‘be a guarantor for anybody unless you're very, very sure of that person, because you have effectively no recourse if the debtor leaves you holding the bag’.”
 

Apparently when it came to the smoke surrounding DarkMatter’s inclusion, neither Google nor Mozilla wanted to risk the fire.

 

Only You Can Protect Your Machine Identities



Even though the decisions by the major trust-store owners may have catalyzed the debate, what was decided can only be termed a one-off. Other decisions may be made by other CA trust stores, and the burden of responsibility falls on us.
 

As stated by Venafi's Bocek, “If you don't take an active role in whitelisting and blacklisting the CAs in your trust stores—everywhere from the desktop to application servers to the cloud—you may end up incidentally trusting hundreds of CAs that you have no relationship with to enable others, including hackers, to be trusted.”
 

Even Mozilla admitted to needing to "up their game” when it comes to managing the sprawling number of certificate authorities: “[w]ith over 3,000 subordinate CA certificates chaining to root certificates in Mozilla’s program, we need automation to extend checks and balances to all of them,” wrote Kathleen Wilson. It’s automation and every man for themselves in what can still very much be termed the “wild west” of cyber security.
 


The decisions of Mozilla and Google may set a precedent in favor of privacy when it comes to CA root store inclusion. However, the frailty of the decision-making process makes it incumbent on individual enterprises to keep track of their own keys and certificates, examine all trusted CAs and have full visibility over their machine identities because if they don’t - there’s always an interested entity who will.
 

 

 

Related posts

 

Like this blog? We think you will love this.
ip-spoofing
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more