back to article Mozilla boots alleged snoop troupe from its root cert coop: UAE-based DarkMatter thrown onto CA blocklist

Mozilla on Tuesday added digital certificates belonging to security biz DarkMatter and its subsidiaries to Firefox's OneCRL blocklist, based on concerns that the UAE-based company will misuse its power as a certificate authority (CA) to intercept online communications. In a post to Mozilla's security policy forum, Wayne Thayer …

  1. swm Silver badge

    Good for Mozilla!

  2. regbadgerer

    This kind of behaviour makes me want to go back to firefox, despite the reasons I left.

    1. e^iπ+1=0

      back to firefox

      Doh, just use Chrome then!

      Leave Firefox to those of us who care.

      1. Anonymous Coward
        Anonymous Coward

        Re: back to firefox

        There are legit reasons. Crap hardware acceleration being my main bugbear...especially on Linux.

        I still use Firefox, but not for consuming video content etc.

        Scrolling in Firefox is super rough too. Even with smooth scrolling on.

        I love the security aspects of Firefox, it's the Rolls Royce of browsers there, but the general user experience is comparable to that of a Lada.

  3. Pascal Monett Silver badge

    "multiple independent reports [..] credible allegations that DarkMatter [..] involved in spying"

    I did a half-hearted search for Darkmatter and spying, not expecting to find much, but wow was I wrong.

    And there's more where that came from.

  4. DrXym Silver badge

    And it all goes to show...

    ... what a shell game CA certification is. It's a security shakedown with false security imbued onto a site from a CA that nobody has ever heard of and is potentially rogue. It's only slightly better than nothing that browser vendors remove a CA after the fact.

    IMO sites should be allowed to protect themselves with any cert, even a self signed one (*). A site can still pay for a CA signature if they want (e.g. if the CA audits the business in some meaningful way). But they should also be allowed to sign their cert with keys from other people or businesses their site has a professional relationship with. e.g. if my site is for an accountancy firm, why not allow the site to be signed by the Institute of Chartered Accountants and some other meaningful signatories?

    I'm sure a browser could figure some simple way to present this info with a traffic light style information system.

    * - A self signed cert is still better than plaintext and is perfectly adequate for a lot of web content. Especially when the site owner can set the thing to expire for a duration that suits them, not the CA's revenue model. Ah but what about man in the middle attacks? Well plaintext doesn't help there either but at least self-signed stops snooping. And services like SSL lighthouse can check for MITM attacks when the cert for a site appears to change for one visit / visitor compared to another.

    1. phuzz Silver badge

      Re: And it all goes to show...

      "sites should be allowed to protect themselves with any cert, even a self signed one"

      Websites are allowed to use whatever cert they like (or none at all).

      Equally though, users are also allowed to look at a site with a self signed cert and say "that looks fucking dodgy".

      And a self signed cert doesn't stop MitM snooping, because there's no way for the end user to know that the cert was signed by the site itself, or by some bit of pass-through spying equipment in between.

      1. jms222

        Re: And it all goes to show...

        but self-signed does does stop sniffing and reading data. Mitm is a step up from just sniffing.

        1. DrXym Silver badge

          Re: And it all goes to show...

          And plaintext can have man in the middle too. And if browsers compared self signed certs to a central DB and/or to previous visits they could mitigate against that too.

          1. Orv Silver badge

            Re: And it all goes to show...

            In most browsers you can do exactly that -- "add exception" or its equivalent will make that cert trusted in the future. In Safari this actually goes into your account's certificate store.

            There are still issues with this (how do you know the initial certificate you got is the correct one?) but it's better than nothing.

      2. DrXym Silver badge

        Re: And it all goes to show...

        And you obviously didn't read very far because I addressed the point of Man in the Middle.

        SSL Observatory (I called it Lighthouse by mistake previously) exist that check the cert you see against a centralized database built by other visitors and warns the user if the cert you see is different to the cert someone else sees. This could prevent MiTM attacks. And any site with reason to fear such an attack could sign their cert with a CA or a web of trust - other points I addressed.

        The point being that CA signing is a shakedown. The "trust" is to make the scary box in the browser and its binary security model go away, little else.

        A self signed cert is better than plaintext. A self signed cert coupled with such a service integrated into a browser is better yet, a web of trust better yet. Maybe if you're a bank or retailer you'll pay the 000s for the CA for a signature that means something. Otherwise it means very little.

        1. Orv Silver badge

          Re: And it all goes to show...

          PGP tried "web of trust" and it never really got off the ground, except within very small groups. (I mean, PGP is used all the time; but actual traceable webs of trust among keys are rare.)

          Also you don't have to pay anything for a signed cert. I use Let's Encrypt on my personal servers; at work we have access to InCommon certificates.

          1. DrXym Silver badge

            Re: And it all goes to show...

            That's because PGP was never the defacto format for the web, not because the idea was without merit.

    2. JohnFen

      Re: And it all goes to show...

      The use of commercial CAs was always a compromise that weakens security, as it effectively breaks the chain of trust. I haven't considered certs that are "trusted" because some CA signed it to be trustworthy for years, because of the numerous and continuing failures of that system.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like