Mozilla caught between a rock and a hard place on the issue of DarkMatter root certificates.
Mozilla’s security team has been caught between a rock and a hard place in regards to a recent request to add a known surveillance vendor to Firefox’s internal list of approved HTTPS certificate issuers.
The vendor is named DarkMatter, a cyber-security firm based in the United Arab Emirates that has been known to sell surveillance and hacking services to oppressive regimes in the Middle East [1, 2, 3].
A few months back, DarkMatter filed a bug report asking that its own root certificates be added to the Firefox’s certificate store –which is an internal list of Certificate Authorities (CAs).
CAs are companies, organizations, and other entities that are approved to issue new TLS certificates –the mechanism that supports encrypted HTTPS communications.
Mozilla uses this certificate store to know what TLS certificates to trust when loading encrypted content inside Firefox and Thunderbird, similar to how Apple, Google, and Microsoft all use their own certificate stores to know what content to trust in their own products as well.