Skip to main content
banner image
venafi logo

Mozilla CA Quandary Highlights the Importance of Trust Store Security

Mozilla CA Quandary Highlights the Importance of Trust Store Security

Mozilla, Dark Matter, Trust Store Security
February 28, 2019 | David Bisson

In late February 2019, news emerged about how Mozilla had received a request from Dark Matter to add it to Firefox’s CA Certificate Root Program. The request is significant not from a bureaucratic standpoint; if they don’t already, Dark Matter can improve its documented practices so that they meet minimum requirements and hone its policies to issue standards-compliant certificates. The request stands out rather for an ethical reason because Dark Matter, an emerging digital security company in the United Arab Emirates, has a history of spying on web communications and hacking dissidents’ iPhones.

Cooper Quintin, senior staff technologist at EFF, specifically fears that a company like Dark Matter would abuse its privileged status as a CA to threaten the security and privacy of Firefox users. As he explains in a blog post:

“Any of the dozens of certificate authorities trusted by your browser could secretly issue a fraudulent certificate for any website (such as google.com or eff.org.) A certificate authority (or other organization, such as a government spy agency,) could then use the fraudulent certificate to spy on your communications with that site, even if it is encrypted with HTTPS.”

This threat derives its heft from trust stores, collections of trusted-by-default root certificates which Mozilla, Google, Microsoft, Apple and other makers of operating systems and web browsers help maintain. An issuing CA must undergo an auditing process before it can expect its root certificate to be included in a trust store. But once it’s approved, untrustworthy companies can issue a fraudulent machine identity, thereby exposing users’ web activity.

 

That’s not the only threat pertaining to trust stores, either. As noted by Malwarebytes, digital attackers can also steal the private key that belongs to a root certificate. If this root certificate already resides within a trust store, these bad actors can then issue their own certificates, sign them with the private key and thereby stage man-in-the-middle (MitM) attacks or install malware onto web browser users’ machines.

Given the risks described above, Quintin rightly thinks it would be best if Mozilla and other root certificate database maintainers like Microsoft, Google and Apple refuse to trust companies like Dark Matter as root CAs. That’s a good hope, anyway. But it doesn’t take into consideration what organizations themselves can do to manage security threats resulting from trust stores.

Fortunately, organizations can take steps to protect themselves. They can begin by recognizing that trust stores come with hundreds of root certificates that aren’t necessary. Indeed, a University Hannover Germany study found that only two-thirds of the trusted root certificates included in the default trust stores for Windows, Linux, macOS, Firefox, iOS and Android were active in signing HTTPS certificates. That leaves the remaining third of trusted root certificates potentially vulnerable to abuses.

In response, organizations should consider rejecting these default trust stores. Instead they should create a customized trust store using certificate whitelisting so that they have a say in which certificates are included in the collection. This practice helps organizations reduce their attack surface by limiting the number of trusted CAs and flagging untrusted SSL/TLS sessions. Organizations can then update these certificate whitelists and blacklists on an ongoing basis to reflect their evolving business requirements and the expanding CA landscape.

Simultaneously, organizations should take steps to secure their own certificates and keys against digital attackers. They can do this by using solution that monitors these machine identities for signs of abuse. This platform should also automate the certificate renewal process to sidestep human error.

Step up your organization’s certificate monitoring program today.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat