Stories
Slash Boxes
Comments

SoylentNews is people

Surveillance Firm Asks Mozilla to be Included in Firefox's Certificate Whitelist

posted by mrpg on Tuesday February 26 2019, @09:49AM   Printer-friendly
from the ?¿?!!¡¡ dept.

upstart writes:

Submitted via IRC for chromas

Surveillance firm asks Mozilla to be included in Firefox's certificate whitelist

[...] The vendor is named DarkMatter, a cyber-security firm based in the United Arab Emirates that has been known to sell surveillance and hacking services to oppressive regimes in the Middle East

[...] On one side Mozilla is pressured by organizations like the Electronic Frontier Foundation, Amnesty International, and The Intercept to decline DarkMatter's request, while on the other side DarkMatter claims it never abused its TLS certificate issuance powers for anything bad, hence there's no reason to treat it any differently from other CAs that have applied in the past.

Fears and paranoia are high because Mozilla's list of trusted root certificates is also used by some Linux distros. Many fear that once approved on Mozilla's certificate store list, DarkMatter may be able to issue TLS certificates that will be able to intercept internet traffic without triggering any errors on some Linux systems, usually deployed in data centers and at cloud service providers.

In Google Groups and Bugzilla discussions on its request, DarkMatter has denied any wrongdoing or any intention to do so.

The company has already been granted the ability to issue TLS certificates via an intermediary, a company called QuoVadis, now owned by DigiCert.

Also at Electronic Frontier Foundation

Original Submission

 
This discussion has been archived. No new comments can be posted.
Surveillance Firm Asks Mozilla to be Included in Firefox's Certificate Whitelist | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by zocalo on Tuesday February 26 2019, @11:53AM (2 children)

    by zocalo (302) on Tuesday February 26 2019, @11:53AM (#806880)
    Probably because Mozilla is catering for regular users who just want their browser to work (and will switch to Chrome if it doesn't), probably won't understand what they are agreeing to, and may live in a region of the world where Chunghwa Telecom, E-Tugra, or whatever is much more prevalent as a CA, although they must have some nous because they've presumably installed an alternative browser in the first place. It would be nice to have the option to have a combination of default deny with a "first time seen confirmation" prompt though, but that hardly fits in with what appears to be the current design ethos of throwing in everything including the kitchen sink that most users don't want while simultaneously removing or burying under "about:config" all the stuff that many users do seem to want. You can always edit the list and delete any unwanted CA entries, of course, but I suspect they'll come straight back on the next update.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 3, Interesting) by hoeferbe on Tuesday February 26 2019, @01:31PM (1 child)

    by hoeferbe (4715) on Tuesday February 26 2019, @01:31PM (#806898)
    zocalo (302) [soylentnews.org] wrote [soylentnews.org]:

    You can always edit the list and delete any unwanted CA entries, of course, but I suspect they'll come straight back on the next update.

    This.  Long ago, I tried deleting all my CAs, intending to only accept server certificates that I verified through a secondary route.  Not only was it a tremendous hassle since various huge entities would have different certificates that expired at different times for their ephemeral cloud / content delivery network machines, but yes, a Firefox update undid all that work.

    I tried using Certificate Patrol [psyced.org] for much the same reason. Yet, even with its ability to whitelist by domain names, it was still too much of a pain caused by clustered sites using several inconsistent certificates.

    • (Score: 3, Interesting) by pTamok on Tuesday February 26 2019, @06:37PM

      by pTamok (3042) on Tuesday February 26 2019, @06:37PM (#807144)

      I used to use the Firefox Extension 'Perspectives' from CMU, but it ran into the sand. It was a nice idea - there is still a zombie website [perspectives-project.org], but little else to show for it.

      It checked to see if the certificate* you got for a website was the same as other users got by using public notaries that kept track of certificates from multiple different locations. A MITM attack using a certificate that passed browser validations substituting for the actual certificate would be detected, as checking the public notary servers would show the discrepancy.
      More details here: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing Dan Wendlandt, David G. Andersen, Adrian Perrig Carnegie Mellon University [cmu.edu] (pdf)

      It is something that I wish had been taken further.

      *Actually, server public keys.