In late February 2019, news emerged about how Mozilla had received a request from Dark Matter to add it to Firefox’s CA Certificate Root Program. The request is significant not from a bureaucratic standpoint; if they don’t already, Dark Matter can improve its documented practices so that they meet minimum requirements and hone its policies to issue standards-compliant certificates. The request stands out rather for an ethical reason because Dark Matter, an emerging digital security company in the United Arab Emirates, has a history of spying on web communications and hacking dissidents’ iPhones.
Cooper Quintin, senior staff technologist at EFF, specifically fears that a company like Dark Matter would abuse its privileged status as a CA to threaten the security and privacy of Firefox users. As he explains in a blog post:
“Any of the dozens of certificate authorities trusted by your browser could secretly issue a fraudulent certificate for any website (such as google.com or eff.org.) A certificate authority (or other organization, such as a government spy agency,) could then use the fraudulent certificate to spy on your communications with that site, even if it is encrypted with HTTPS.”
This threat derives its heft from trust stores, collections of trusted-by-default root certificates which Mozilla, Google, Microsoft, Apple and other makers of operating systems and web browsers help maintain. An issuing CA must undergo an auditing process before it can expect its root certificate to be included in a trust store. But once it’s approved, untrustworthy companies can issue a fraudulent machine identity, thereby exposing users’ web activity.
That’s not the only threat pertaining to trust stores, either. As noted by Malwarebytes, digital attackers can also steal the private key that belongs to a root certificate. If this root certificate already resides within a trust store, these bad actors can then issue their own certificates, sign them with the private key and thereby stage man-in-the-middle (MitM) attacks or install malware onto web browser users’ machines.
Given the risks described above, Quintin rightly thinks it would be best if Mozilla and other root certificate database maintainers like Microsoft, Google and Apple refuse to trust companies like Dark Matter as root CAs. That’s a good hope, anyway. But it doesn’t take into consideration what organizations themselves can do to manage security threats resulting from trust stores.
Fortunately, organizations can take steps to protect themselves. They can begin by recognizing that trust stores come with hundreds of root certificates that aren’t necessary. Indeed, a University Hannover Germany study found that only two-thirds of the trusted root certificates included in the default trust stores for Windows, Linux, macOS, Firefox, iOS and Android were active in signing HTTPS certificates. That leaves the remaining third of trusted root certificates potentially vulnerable to abuses.
In response, organizations should consider rejecting these default trust stores. Instead they should create a customized trust store using certificate whitelisting so that they have a say in which certificates are included in the collection. This practice helps organizations reduce their attack surface by limiting the number of trusted CAs and flagging untrusted SSL/TLS sessions. Organizations can then update these certificate whitelists and blacklists on an ongoing basis to reflect their evolving business requirements and the expanding CA landscape.
Simultaneously, organizations should take steps to secure their own certificates and keys against digital attackers. They can do this by using solution that monitors these machine identities for signs of abuse. This platform should also automate the certificate renewal process to sidestep human error.