Firefox browser-maker Mozilla is considering whether to block cybersecurity company DarkMatter from serving as one of its internet security gatekeepers after a Reuters report linked the United Arab Emirates-based firm to a cyber espionage program.
Reuters reported in January that DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government.
Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive program, which operated from a converted Abu Dhabi mansion away from DarkMatter’s headquarters.
Those operations included hacking into the internet accounts of human rights activists, journalists and officials from rival governments, Reuters found. DarkMatter has denied conducting the operations and says it focuses on protecting computer networks.
[...] DarkMatter has been pushing Mozilla for full authority to grant certifications since 2017, the browser maker told Reuters. That would take it to a new level, making it one of fewer than 60 core gatekeepers for the hundreds of millions of Firefox users around the world.
[Selena] Deckelmann said Mozilla is worried that DarkMatter could use the authority to issue certificates to hackers impersonating real websites, like banks.
As a certification authority, DarkMatter would be partially responsible for encryption between websites they approve and their users.
In the wrong hands, the certification role could allow the interception of encrypted web traffic, security experts say.
In the past Mozilla has relied exclusively on technical issues when deciding whether to trust a company with certification authority.
The Reuters investigation has led it to reconsider its policy for approving applicants. “You look at the facts of the matter, the sources that came out, it’s a compelling case,” said Deckelmann.
Previously: Surveillance Firm Asks Mozilla to be Included in Firefox's Certificate Whitelist
Related Stories
Submitted via IRC for chromas
Surveillance firm asks Mozilla to be included in Firefox's certificate whitelist
[...] The vendor is named DarkMatter, a cyber-security firm based in the United Arab Emirates that has been known to sell surveillance and hacking services to oppressive regimes in the Middle East
[...] On one side Mozilla is pressured by organizations like the Electronic Frontier Foundation, Amnesty International, and The Intercept to decline DarkMatter's request, while on the other side DarkMatter claims it never abused its TLS certificate issuance powers for anything bad, hence there's no reason to treat it any differently from other CAs that have applied in the past.
Fears and paranoia are high because Mozilla's list of trusted root certificates is also used by some Linux distros. Many fear that once approved on Mozilla's certificate store list, DarkMatter may be able to issue TLS certificates that will be able to intercept internet traffic without triggering any errors on some Linux systems, usually deployed in data centers and at cloud service providers.
In Google Groups and Bugzilla discussions on its request, DarkMatter has denied any wrongdoing or any intention to do so.
The company has already been granted the ability to issue TLS certificates via an intermediary, a company called QuoVadis, now owned by DigiCert.
Also at Electronic Frontier Foundation
(Score: 2) by inertnet on Wednesday March 06 2019, @12:15PM (1 child)
I fear that Mozilla is going to lose a lot of users if they go ahead with this.
(Score: 4, Interesting) by aiwarrior on Wednesday March 06 2019, @12:50PM
Giving the certificates pass would be absolutely ridiculous. It's like: "Oh a hitman wants to buy a gun", hmmm he never killed the gun salesman before so it is ok.
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 06 2019, @03:49PM (3 children)
Then tell the world the truth. HTTPS is stupid and wasn't designed to work as advertised. It's real purpose is tracking and malware delivery. You all are wasting valuable computer resources, and time arguing about it. But as long as we're using this shit, I hope we can delete or disable the ones we don't like. We also need to make it easier to bypass the whole system. Another design "flaw" seems to block sites you want to enter regardless. Sounds political to me. No doubt that it is.
(Score: 2) by darkfeline on Thursday March 07 2019, @05:10AM (2 children)
What alternative do you propose, oh wise one?
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Friday March 08 2019, @02:52AM (1 child)
Just go back to regular HTTP, you know, hyper
cardtext!(Score: 0) by Anonymous Coward on Friday March 08 2019, @08:27AM
Eh, gopher was where it was really at. Better file transfer protocol than FTP and a better web protocol than HTTP.
(Score: 0) by Anonymous Coward on Wednesday March 06 2019, @05:38PM
Every company is under coercion by the government of every nation in which it operates. The employees may even be forced to secretly act against the company, if they aren't wholeheartedly in support of that already.
This includes every company issuing certificates, domain names, or IP address space. It includes the countries in which web servers are physically located. It includes the countries where the web developers work, and their countries of citizenship.
The proper rule is simple: instead of the locked-lock icon for web site security, display the flag of every country which you'd need to trust.
Some of that is hopelessly difficult, for example all the dual citizenship of all Google employees. The basics are not too bad. We know where companies are incorporated and headquartered. Use that.
So if a UAE certificate is found on a French domain with a US IP address, display those flags: UAE, US, France. It becomes clear that you must trust all 3 if you are to trust the web site.
Make the indicator flash, with a bright red border, if there is more than one country. Web sites shouldn't be increasing their security risk by involving extra countries.