Re: DarkMatter Concerns
On Sat, Feb 23, 2019 at 02:07:38PM +0400, Scott Rea via dev-security-policy wrote: > G’day Wayne et al, > > In response to your post overnight (included below), I want to assure you > that DarkMatter’s work is solely focused on defensive cyber security, secure > communications and digital transformation. We have never, nor will we ever, > operate or manage non-defensive cyber activities against any nationality. Can you explain what you mean with defensive cyber security and how this relates to the CA? Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DarkMatter Concerns
On Friday, February 22, 2019 at 10:21:24 PM UTC+1, Wayne Thayer wrote: > We are not aware of direct evidence of misused > certificates in this case. However, the evidence does strongly suggest that > misuse is likely to occur, if it has not already. So, basing the trust of a CA on "suggestion" and crystal-ball like "looking into the future" (asserting they _will_ abuse their power) without a shred of conclusive evidence is considered good practice, now? Aren't the rules for admission of a CA in root stores there for a reason (among others to keep the process objective)? Not like all the other ones in the root stores have spotless historical records either. Far from it. > I don't see how approving them, or the continued trust in their > intermediates, would be in the interests of Mozilla's users or compatible > with the Mozilla Manifesto. Oh come on. Mozilla itself isn't compatible with the Mozilla Manifesto. Also, I don't see how a corporate organization's manifesto should have any bearing on the truststore used in many independent FOSS operating systems and applications. Mozilla might not agree with many things based on political bias and let's leave that out the door, shall we? Or do you want to start refusing or distrusting CAs that have any sort of affiliation with right-wing political parties next? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DarkMatter Concerns
G’day Wayne et al, In response to your post overnight (included below), I want to assure you that DarkMatter’s work is solely focused on defensive cyber security, secure communications and digital transformation. We have never, nor will we ever, operate or manage non-defensive cyber activities against any nationality. Furthermore, in the spirit of transparency, we have published all our public trust TLS certificates to appropriate CT log facilities (including even all our OV certificates) before this was even a requirement. We have been entirely transparent in our operations and with our clients as we consider this a vital component of establishing and maintaining trust. We have used FIPS certified HSMs as our source of randomness in creating our Authority certificates, so we have opened an investigation based on Corey Bonnell’s earlier post regarding serial numbers and will produce a corresponding bug report on the findings. I trust this answers your concerns and we can continue the Root inclusion onboarding process. Regards, -- Scott Rea On 2/23/19, 1:21 AM, "dev-security-policy on behalf of Wayne Thayer via dev-security-policy" wrote: The recent Reuters report on DarkMatter [1] has prompted numerous questions about their root inclusion request [2]. The questions that are being raised are equally applicable to their current status as a subordinate CA under QuoVadis (recently acquired by DigiCert [3]), so it seems appropriate to open up a discussion now. The purpose of this discussion is to determine if Mozilla should distrust DarkMatter by adding their intermediate CA certificates that were signed by QuoVadis to OneCRL, and in turn deny the pending root inclusion request. The rationale for distrust is that multiple sources [1][4][5] have provided credible evidence that spying activities, including use of sophisticated targeted surveillance tools, are a key component of DarkMatter’s business, and such an organization cannot and should not be trusted by Mozilla. In the past Mozilla has taken action against CAs found to have issued MitM certificates [6][7]. We are not aware of direct evidence of misused certificates in this case. However, the evidence does strongly suggest that misuse is likely to occur, if it has not already. Mozilla’s Root Store Policy [8] grants us the discretion to take actions based on the risk to people who use our products. Despite the lack of direct evidence of misissuance by DarkMatter, this may be a time when we should use our discretion to act in the interest of individuals who rely on our root store. I would greatly appreciate everyone's constructive input on this issue. - Wayne [1] https://www.reuters.com/investigates/special-report/usa-spying-raven/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/hicp7AW8sLA/KUSn20MrDgAJ [4] https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/ [5] https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ [6] https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/Fj-LUvhVQYEJ [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1232689 [8] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Scott Rea | Senior Vice President - Trust Services Tel: +971 2 417 1417 | Mob: +971 52 847 5093 scott@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DarkMatter Concerns
On Fri, Feb 22, 2019 at 03:45:39PM -0800, cooperq--- via dev-security-policy wrote: > On Friday, February 22, 2019 at 2:37:20 PM UTC-8, Jonathan Rudenberg wrote: > > With regards to the broader question, I believe that DarkMatter's alleged > > involvement with hacking campaigns is incompatible with operating a > > trustworthy CA. This combined with the existing record of apparent > > incompetence by DarkMatter (compare the inclusion bugs for other recently > > approved CAs for contrast), makes me believe that the approval request > > should be denied and the existing intermediates revoked via OneCRL. I don't > > see how approving them, or the continued trust in their intermediates, > > would be in the interests of Mozilla's users or compatible with the Mozilla > > Manifesto. > > > > Jonathan > > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c29 > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c32 > > I wrote a post about this issue this morning for EFF: > https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else > > Given DarkMatter's business interest in intercepting TLS communications > adding them to the trusted root list seems like a very bad idea. (I would go > so far as revoking their intermediate certificate as well, based on these > revelations.) I would also like to have a comment from the current root owner (digicert?) on what they plan to do with it. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DarkMatter Concerns
On Friday, February 22, 2019 at 6:51:52 PM UTC-5, coo...@gmail.com wrote: > On Friday, February 22, 2019 at 2:37:20 PM UTC-8, Jonathan Rudenberg wrote: > > With regards to the broader question, I believe that DarkMatter's alleged > > involvement with hacking campaigns is incompatible with operating a > > trustworthy CA. This combined with the existing record of apparent > > incompetence by DarkMatter (compare the inclusion bugs for other recently > > approved CAs for contrast), makes me believe that the approval request > > should be denied and the existing intermediates revoked via OneCRL. I don't > > see how approving them, or the continued trust in their intermediates, > > would be in the interests of Mozilla's users or compatible with the Mozilla > > Manifesto. > > > > Jonathan > > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c29 > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c32 > > I wrote a post about this issue this morning for EFF: > https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else > > Given DarkMatter's business interest in intercepting TLS communications > adding them to the trusted root list seems like a very bad idea. (I would go > so far as revoking their intermediate certificate as well, based on these > revelations.) I can't trust the Dark Matter CA for a minute. It's a threat to national security. It's a national security issue. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DarkMatter Concerns
On Friday, February 22, 2019 at 2:37:20 PM UTC-8, Jonathan Rudenberg wrote: > With regards to the broader question, I believe that DarkMatter's alleged > involvement with hacking campaigns is incompatible with operating a > trustworthy CA. This combined with the existing record of apparent > incompetence by DarkMatter (compare the inclusion bugs for other recently > approved CAs for contrast), makes me believe that the approval request should > be denied and the existing intermediates revoked via OneCRL. I don't see how > approving them, or the continued trust in their intermediates, would be in > the interests of Mozilla's users or compatible with the Mozilla Manifesto. > > Jonathan > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c29 > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c32 I wrote a post about this issue this morning for EFF: https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else Given DarkMatter's business interest in intercepting TLS communications adding them to the trusted root list seems like a very bad idea. (I would go so far as revoking their intermediate certificate as well, based on these revelations.) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DarkMatter Concerns
On Fri, Feb 22, 2019, at 16:21, Wayne Thayer via dev-security-policy wrote: > Despite the lack of > direct evidence of misissuance by DarkMatter, this may be a time when we > should use our discretion to act in the interest of individuals who rely on > our root store. It's worth noting that DarkMatter has already been documented to have misissued certificates, though not in a way that is obviously for malicious purposes. 1) As discovered by Rob Stradling[1], they issued at least two certificates with a CN that was not included in the SAN extension. An incident report was requested[2], but I was unable to find it in Bugzilla or on this mailing list. 2) https://crt.sh/?id=271084003=zlint - This certificate has an invalid domain `apiuat.o`. I'm not aware of prior discussion about this. With regards to the broader question, I believe that DarkMatter's alleged involvement with hacking campaigns is incompatible with operating a trustworthy CA. This combined with the existing record of apparent incompetence by DarkMatter (compare the inclusion bugs for other recently approved CAs for contrast), makes me believe that the approval request should be denied and the existing intermediates revoked via OneCRL. I don't see how approving them, or the continued trust in their intermediates, would be in the interests of Mozilla's users or compatible with the Mozilla Manifesto. Jonathan [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c29 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c32 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
DarkMatter Concerns
The recent Reuters report on DarkMatter [1] has prompted numerous questions about their root inclusion request [2]. The questions that are being raised are equally applicable to their current status as a subordinate CA under QuoVadis (recently acquired by DigiCert [3]), so it seems appropriate to open up a discussion now. The purpose of this discussion is to determine if Mozilla should distrust DarkMatter by adding their intermediate CA certificates that were signed by QuoVadis to OneCRL, and in turn deny the pending root inclusion request. The rationale for distrust is that multiple sources [1][4][5] have provided credible evidence that spying activities, including use of sophisticated targeted surveillance tools, are a key component of DarkMatter’s business, and such an organization cannot and should not be trusted by Mozilla. In the past Mozilla has taken action against CAs found to have issued MitM certificates [6][7]. We are not aware of direct evidence of misused certificates in this case. However, the evidence does strongly suggest that misuse is likely to occur, if it has not already. Mozilla’s Root Store Policy [8] grants us the discretion to take actions based on the risk to people who use our products. Despite the lack of direct evidence of misissuance by DarkMatter, this may be a time when we should use our discretion to act in the interest of individuals who rely on our root store. I would greatly appreciate everyone's constructive input on this issue. - Wayne [1] https://www.reuters.com/investigates/special-report/usa-spying-raven/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/hicp7AW8sLA/KUSn20MrDgAJ [4] https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/ [5] https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ [6] https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/Fj-LUvhVQYEJ [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1232689 [8] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
