Skip to main content
banner image
venafi logo

Mozilla CA Quandary Highlights the Importance of Trust Store Security

Mozilla CA Quandary Highlights the Importance of Trust Store Security

Mozilla, Dark Matter, Trust Store Security
February 28, 2019 | David Bisson

In late February 2019, news emerged about how Mozilla had received a request from Dark Matter to add it to Firefox’s CA Certificate Root Program. The request is significant not from a bureaucratic standpoint; if they don’t already, Dark Matter can improve its documented practices so that they meet minimum requirements and hone its policies to issue standards-compliant certificates. The request stands out rather for an ethical reason because Dark Matter, an emerging digital security company in the United Arab Emirates, has a history of spying on web communications and hacking dissidents’ iPhones.

Cooper Quintin, senior staff technologist at EFF, specifically fears that a company like Dark Matter would abuse its privileged status as a CA to threaten the security and privacy of Firefox users. As he explains in a blog post:

“Any of the dozens of certificate authorities trusted by your browser could secretly issue a fraudulent certificate for any website (such as or A certificate authority (or other organization, such as a government spy agency,) could then use the fraudulent certificate to spy on your communications with that site, even if it is encrypted with HTTPS.”


This threat derives its heft from trust stores, collections of trusted-by-default root certificates which Mozilla, Google, Microsoft, Apple and other makers of operating systems and web browsers help maintain. An issuing CA must undergo an auditing process before it can expect its root certificate to be included in a trust store. But once it’s approved, untrustworthy companies can issue a fraudulent machine identity, thereby exposing users’ web activity.

That’s not the only threat pertaining to trust stores, either. As noted by Malwarebytes, digital attackers can also steal the private key that belongs to a root certificate. If this root certificate already resides within a trust store, these bad actors can then issue their own certificates, sign them with the private key and thereby stage man-in-the-middle (MitM) attacks or install malware onto web browser users’ machines.

Given the risks described above, Quintin rightly thinks it would be best if Mozilla and other root certificate database maintainers like Microsoft, Google and Apple refuse to trust companies like Dark Matter as root CAs. That’s a good hope, anyway. But it doesn’t take into consideration what organizations themselves can do to manage security threats resulting from trust stores.

Fortunately, organizations can take steps to protect themselves. They can begin by recognizing that trust stores come with hundreds of root certificates that aren’t necessary. Indeed, a University Hannover Germany study found that only two-thirds of the trusted root certificates included in the default trust stores for Windows, Linux, macOS, Firefox, iOS and Android were active in signing HTTPS certificates. That leaves the remaining third of trusted root certificates potentially vulnerable to abuses.

In response, organizations should consider rejecting these default trust stores. Instead they should create a customized trust store using certificate whitelisting so that they have a say in which certificates are included in the collection. This practice helps organizations reduce their attack surface by limiting the number of trusted CAs and flagging untrusted SSL/TLS sessions. Organizations can then update these certificate whitelists and blacklists on an ongoing basis to reflect their evolving business requirements and the expanding CA landscape.

Simultaneously, organizations should take steps to secure their own certificates and keys against digital attackers. They can do this by using solution that monitors these machine identities for signs of abuse. This platform should also automate the certificate renewal process to sidestep human error.


Related posts

Like this blog? We think you will love this.
Featured Blog

What Is a Private Key?

How Are Private Keys Used?<

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more