Update 2019-06-21: DarkMatter has renamed its CA business Digital Trust – Sole Proprietorship L.L.C. (“DigitalTrust”). The criticisms below still apply.

DarkMatter, the notorious cyber-mercenary firm based in the United Arab Emirates, is seeking to become approved as a top-level certificate authority in Mozilla’s root certificate program. Giving such a trusted position to this company would be a very bad idea. DarkMatter has a business interest in subverting encryption, and would be able to potentially decrypt any HTTPS traffic they intercepted. One of the things HTTPS is good at is protecting your private communications from snooping governments—and when governments want to snoop, they regularly hire DarkMatter to do their dirty work.

Membership in the root certificate program is the way in which Mozilla decides which certificate authorities (CAs) get to have their root certificates trusted in Firefox. Mozilla’s list of trusted root certificates is also used in many other products, including the Linux operating system. 

Browsers rely on this list of authorities, which are trusted to verify and issue the certificates that allow for secure browsing, using technologies like TLS and HTTPS. Certificate Authorities are the basis of HTTPS, but they are also its greatest weakness. Any of the dozens of certificate authorities trusted by your browser could secretly issue a fraudulent certificate for any website (such as google.com or eff.org.) A certificate authority (or other organization, such as a government spy agency,) could then use the fraudulent certificate to spy on your communications with that site, even if it is encrypted with HTTPS. Certificate Transparency can mitigate some of the risk by requiring public logging of all issued certificates, but is not a panacea.

Mozilla and other root certificate database maintainers (Microsoft, Google, and Apple) should not trust Dark Matter as a root certificate authority.

The companies on your browser’s trusted CA list rarely commit such fraud, since not issuing malicious certificates is the foremost responsibility for a certificate authority. But it can and does still happen. The concern in this case is that DarkMatter has made its business spying on internet communications, hacking dissidents’ iPhones, and other cyber-mercenary work. DarkMatter’s business objectives directly depend on intercepting end-user traffic on behalf of snooping governments. Giving DarkMatter a trusted root certificate would be like letting the proverbial fox guard the henhouse.

Currently, the standard for being accepted as a trusted certificate authority in the browser is a technical and bureaucratic one. For example, do the organization's documented practices meet the minimum requirements? Can the organization issue standards-compliant certificates? Dark Matter will likely meet those standards, eventually. But the standards don’t take into account an organization’s history of trying to break encryption, or its conflicts of interest.

Other organizations have used this fact to game the system in the past and worm their way into our browsers. In 2009, Mozilla allowed CNNIC, the Chinese state certification authority, into the root CA program, after CNNIC assured Mozilla and the larger community that it would not abuse this power to create fake certificates and break encryption. In 2015 CNNIC was caught in a scandal when an intermediate CA authorized by CNNIC issued illegitimate certificates for several google-owned domains. Google, Mozilla, and others quickly revoked CNNIC’s authority in their browsers and operating systems after learning about the breach of trust. CNNIC is not the only example of this. In 2013 Mozilla considered dropping the Swedish company Teliasonera after accusations that it had helped enable government spying. Teliasonera ultimately did not get dropped, but it continues to have security problems to this day.

DarkMatter was already given an "intermediate" certificate by another company, called QuoVadis, now owned by DigiCert. That's bad enough, but the "intermediate" authority at least comes with ostensible oversight by DigiCert. Without that oversight, the situation will be much worse. We would encourage Mozilla and others to revoke even this intermediate certificate, given DarkMatter's known practices subverting internet security.

Mozilla and other root certificate database maintainers (Microsoft, Google, and Apple) should not trust Dark Matter as a root certificate authority. To do so would not only give Dark Matter, a company which has repeatedly demonstrated their interest in breaking encryption, enormous power; it would also open the door for other cyber-mercenary groups, such as NSO Group or Finfisher, to worm their way in as well.

We encourage everyone concerned about Dark Matter being included in the Mozilla trust database to make your feelings known on Mozilla’s security policy mailing list.

Tags