Just a few weeks ago, Mozilla added DarkMatter-issued certificates to Firefox’s OneCRL blocklist and rejected its inclusion into its trust store. This inserts some punctuation in a lengthy industry debate as to the ethics of allowing suspiciously connected entities to run the gauntlet on the internet
DarkMatter has been vying to become a root certificate authority for two years, and the blow was met with a formalized appeal. Specifically, six intermediate DarkMatter (“DigitalTrust”) CAs have been removed from the Firefox whitelist, under the name QuoVadis.
As stated by Venafi’s Kevin Bocek, VP of security and threat intelligence, “[DarkMatter] is operating according to spec. They've got great staff. ..They've got the best.”
[Above Image: A day at the office, DarkMatter]
When it comes to standards and compliance, “[DarkMatter] will likely meet those standards” affirms the Electronic Frontier Foundation (EFF), initial heralds of the warning cry to Mozilla, Apple, Microsoft and Google. “But the standards don’t take into account an organization’s history of trying to break encryption, or its conflicts of interest.”
As of last year, links had been drawn between illicit Project Raven and the overseas CA. The clandestine operation paired United Arab Emirate operatives with former NSA members to spy on and track political dissidents, journalists and activists. The spotless reputation of the otherwise above-board certificate authority had been difficult to maintain ever since.
"While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users," finally concluded Wayne Thayer, certification authority program manager for Mozilla.
Mozilla and Google Put a Stake in the Ground for Privacy
Kathleen Wilson, Mozilla’s program manager, stated in a thread to fellow Mozilla employees, “I concur with Wayne’s recommendation...to add DarkMatter’s existing intermediate certificates to OneCRL and decline DarkMatter’s root inclusion request.”
Google must have concurred as two weeks later, they did the same thing.
DarkMatter-issued TLS certificates will soon be absent from Android, Chrome and Firefox trust stores. The secure HTTPS connections affected will now show an error message once the ban is implemented.
With Google’s move, the momentum takes a hard shift in the direction of erring on the side of privacy when it comes to trust.
Said Wilson, “I agree with [coworker Gijs Kruibosch] ...that [an] applicable analogy is being a guarantor on a large loan...you should never ‘be a guarantor for anybody unless you're very, very sure of that person, because you have effectively no recourse if the debtor leaves you holding the bag’.”
Apparently when it came to the smoke surrounding DarkMatter’s inclusion, neither Google nor Mozilla wanted to risk the fire.
Only You Can Protect Your Machine Identities
Even though the decisions by the major trust-store owners may have catalyzed the debate, what was decided can only be termed a one-off. Other decisions may be made by other CA trust stores, and the burden of responsibility falls on us.
As stated by Venafi's Bocek, “If you don't take an active role in whitelisting and blacklisting the CAs in your trust stores—everywhere from the desktop to application servers to the cloud—you may end up incidentally trusting hundreds of CAs that you have no relationship with to enable others, including hackers, to be trusted.”
Even Mozilla admitted to needing to "up their game” when it comes to managing the sprawling number of certificate authorities: “[w]ith over 3,000 subordinate CA certificates chaining to root certificates in Mozilla’s program, we need automation to extend checks and balances to all of them,” wrote Kathleen Wilson. It’s automation and every man for themselves in what can still very much be termed the “wild west” of cyber security.
The decisions of Mozilla and Google may set a precedent in favor of privacy when it comes to CA root store inclusion. However, the frailty of the decision-making process makes it incumbent on individual enterprises to keep track of their own keys and certificates, examine all trusted CAs and have full visibility over their machine identities because if they don’t - there’s always an interested entity who will.