Remember Darkmatter, the UAE-based cybermercenaries who worked with the beltway bandit firm Cyberpoint to recruit ex-NSA spies to infiltrate and expose dissidents, journalists, even children who opposed the despotic regime in the Emirates? (Darkmatter is also one of the least-discriminating cybermercenary bands in the world, available to help torturers, murderers and thugs hang onto power by attacking opposition movements and letting the secret police know who to arrest, torture and kill).
Now Darkmatter has applied to Mozilla to become a "Certificate Authority," which means they'd get the ability to produce cryptographically signed certificates that were trusted by default by Firefox and its derivatives, giving them the power to produce cyberweapons that could break virtually any encrypted web session (though Certificate Transparency might expose them if they're careless about it).
And since Moz's root of trust is used to secure Linux updates, this could affect literally billions of operating systems.
Without being too hyperbolic about this: HOLY FUCKING SHIT IS THIS A BAD IDEA.
Actually, it's bad already: Digicert division Quovadis has already issued an "intermediate" certificate to Darkmatter, which could allow the company to undertake all kinds of genuinely horrible shenanigans with your web-session. Yes, you.
As Cooper Quintin writes on EFF Deeplinks, this is a terrible idea and Mozilla should tell them to go pound sand. Moreover, Moz should revoke Darkmatter's intermediate cert. The root of trust is for entities committed to helping improve encryption and privacy: Darkmatter's mission is to subvert encryption and destroy its targets' privacy.
Update: Moz is on it! This is some popcorn.gif-worthy side-eye from the relevant Mozillan.
DarkMatter was already given an "intermediate" certificate by another company, called QuoVadis, now owned by DigiCert. That's bad enough, but the "intermediate" authority at least comes with ostensible oversight by DigiCert. Without that oversight, the situation will be much worse. We would encourage Mozilla and others to revoke even this intermediate certificate, given DarkMatter's known practices subverting internet security.Mozilla and other root certificate database maintainers (Microsoft, Google, and Apple) should not trust Dark Matter as a root certificate authority. To do so would not only give Dark Matter, a company which has repeatedly demonstrated their interest in breaking encryption, enormous power; it would also open the door for other cyber-mercenary groups, such as NSO Group or Finfisher, to worm their way in as well.
We encourage everyone concerned about Dark Matter being included in the Mozilla trust database to make your feelings known on Mozilla's security policy mailing list.
Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else
[Cooper Quintin/EFF Deeplinks]
