Mozilla's security team has been caught between a rock and a hard place in regards to a recent request to add a known surveillance vendor to Firefox's internal list of approved HTTPS certificate issuers.
The vendor is named DarkMatter, a cyber-security firm based in the United Arab Emirates that has been known to sell surveillance and hacking services to oppressive regimes in the Middle East [1, 2, 3].
A few months back, DarkMatter filed a bug report asking that its own root certificates be added to the Firefox's certificate store --which is an internal list of Certificate Authorities (CAs).
CAs are companies, organizations, and other entities that are approved to issue new TLS certificates --the mechanism that supports encrypted HTTPS communications.
Mozilla uses this certificate store to know what TLS certificates to trust when loading encrypted content inside Firefox and Thunderbird, similar to how Apple, Google, and Microsoft all use their own certificate stores to know what content to trust in their own products as well.
An organization that has a root certificate added in these root stores has the power to issue new certificates that are automatically trusted by these major companies and their respective browsers.
Currently, Mozilla is caught between a rock and a hard place because DarkMatter has a history of shady operations but also has a clean history as a CA, without any known abuses.
On one side Mozilla is pressured by organizations like the Electronic Frontier Foundation, Amnesty International, and The Intercept to decline DarkMatter's request, while on the other side DarkMatter claims it never abused its TLS certificate issuance powers for anything bad, hence there's no reason to treat it any differently from other CAs that have applied in the past.
Fears and paranoia are high because Mozilla's list of trusted root certificates is also used by some Linux distros. Many fear that once approved on Mozilla's certificate store list, DarkMatter may be able to issue TLS certificates that will be able to intercept internet traffic without triggering any errors on some Linux systems, usually deployed in data centers and at cloud service providers.
In Google Groups and Bugzilla discussions on its request, DarkMatter has denied any wrongdoing or any intention to do so.
The company has already been granted the ability to issue TLS certificates via an intermediary, a company called QuoVadis, now owned by DigiCert.
Those who are asking Mozilla to decline DarkMatter's request of inclusion in the root certificate store were quick to seize on the fact that DarkMatter has already misissued a few TLS certificates already via QuoVadis. However, most seem technical errors, and the certificates don't seem to have been abused for anything malicious.
"Given DarkMatter's business interest in intercepting TLS communications adding them to the trusted root list seems like a very bad idea," EFF's Cooper Quintin said in the Google Groups discussions. "I would go so far as revoking their intermediate certificate as well, based on these revelations."
Quintin expanded on his fears in a post on the EFF blog, reminding Mozilla that it went through a similar issue in 2009 with CNNIC, the Chinese government's official CA. Mozilla approved CNNIC as a trusted root CA in Firefox in 2009, and the CA was caught misissuing certificates for Google domains in 2015, allowing threat actors to intercept traffic meant for Google sites --an event that got CNNIC banned inside most certificate root store lists.
According to Mozilla engineers who spoke with ZDNet on deep background and did not want to share their names because they were not authorized to speak on behalf of the organization, Mozilla is seriously considering the issue.
We were told that Mozilla was not aware of DarkMatter's history at the time it applied to be included in its root store a few months back. A Reuters report published last month describing DarkMatter's involvement in helping the Saudi government spy on dissidents turned a few heads at Mozilla.
The report sparked criticism of the surveillance vendor in the months-old Bugzilla bug report, which led Mozilla staff to seriously consider making an exception to its normal CA approval process and decline the inclusion request despite a lack of any evidence of abuse.
Mozilla has now opened a separate Google Groups discussion to gather more feedback from the community, most of which, at the time of writing, has been negative. We were told Mozilla would most likely use this criticism as a reason to decline DarkMatter's request in an attempt to avoid bad press and another CNNIC incident.
"Mozilla's Root Store Policy grants us the discretion to take actions based on the risk to people who use our products. Despite the lack of direct evidence of misissuance by DarkMatter, this may be a time when we should use our discretion to act in the interest of individuals who rely on our root store," Mozilla said.
Article updated to remove a technical inaccuracy.