Mozilla is considering rejecting a request by United Arab Emirates-based DarkMatter to be accepted as a top-level certificate authority in Mozilla’s root certificate program.

In December 2017, the UAE organization asked Mozilla to add its root to Mozilla products, and the request entered the review process soon after. DarkMatter is a subordinate certificate authority (CA) under QuoVadis, now part of DigiCert (which also acquired Symantec’s CA business). 

About a week ago, one Bugzilla contributor posted a link to a January 30 Reuters article revealing that DarkMatter was engaging in broad cyber-espionage activities. This immediately triggered negative responses, raising concerns regarding the possible abuse from an organization known to engage into cyber-espionage operations.

“I also believe that including DarkMatter's root CA carries a large risk of abuse, and would reduce the security of Firefox. I would be surprised if DarkMatter didn't use their CA to sign malicious certificates to aid their illegitimate hacking operations, including against local UAE dissidents,” The Intercept’s Micah Lee notes. 

Others expressed similar concerns, including Electronic Frontier Foundation Senior Staff Technologist Cooper Quintin, who also points out that Mozilla’s list of trusted root certificates isn’t used in Firefox alone, but in many other products as well, including Linux.  

“Giving such a trusted position to this company would be a very bad idea. DarkMatter has a business interest in subverting encryption, and would be able to potentially decrypt any HTTPS traffic they intercepted,” Quintin points out.

This is not the first time the organization’s cyber-espionage activities were brought to light. Similar information emerged in 2016, after an Italian security researcher revealed that DarkMatter attempted to recruit him for a mass surveillance project.  

On Friday, Mozilla opened discussion on the mozilla.dev.security.policy mailing list, asking for suggestions on the possible course of action regarding DarkMatter’s root inclusion request. 

“We are not aware of direct evidence of misused certificates in this case. However, the evidence does strongly suggest that misuse is likely to occur, if it has not already. Mozilla’s Root Store Policy grants us the discretion to take actions based on the risk to people who use our products,” Wayne Thayer, Certification Authority Program Manager at Mozilla, points out. 

Mozilla, he says, is considering acting in the interest of individuals who rely on their root store and rejecting DarkMatter’s request by adding their intermediate CA certificates signed by QuoVadis to OneCRL.

EFF’s Quintin suggests that even DarkMatter’s status of intermediate CA is a bad thing, albeit DigiCert oversees its activity, and encourages Mozilla and others “to revoke this intermediate certificate, given DarkMatter's known practices subverting internet security.”

“Mozilla and other root certificate database maintainers (Microsoft, Google, and Apple) should not trust Dark Matter as a root certificate authority. To do so would not only give Dark Matter, a company which has repeatedly demonstrated their interest in breaking encryption, enormous power; it would also open the door for other cyber-mercenary groups, such as NSO Group or Finfisher, to worm their way in as well,” Quintin concludes.