Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else February 22, 2019 https://www.eff.org/deeplinks/2019/...ldnt-be-trusted-your-browser-or-anywhere-else Bugzilla: Add DarkMatter Root Certificates
The problem is not the QuoVadis root certificate. BTW - a CA 2 one exists in the Win root CA store. The issue is DarkMatter wants Mozella to approve them as root CA store issuer in FireFox. As far as the Intermediate cert. issue, the browser downloads those as needed from the web site server. You have to get a copy of the DarkMatter one and download it to the Win Intermediate CA store. Then untrust it. Don't know if FireFox maintains a permanent Intermediate CA store as it does for the root CA store. If it does, you could download the DarkMatter Intermediate CA cert. there and untrust it if so allowed by FireFox.
Bleepingcomputer.com just published an article with more detail on this issue: https://www.bleepingcomputer.com/ne...equest-to-be-trusted-root-ca-raises-concerns/ . Scrolling down to the bottom of the article yields:
An "eye opener" as to how many certs. have been issued to DarkMatter to date is here: https://gist.github.com/CBonnell/1f01ccd93667c37800b67e518340c606
Mozilla blocks spy firm DarkMatter from Firefox citing ‘significant risk’ to users July 9, 2019 https://techcrunch.com/2019/07/09/darkmatter-firefox-certificates/
...Google is following suit: Google blocks websites certified by DarkMatter, after Reuters reports August 1, 2019 https://www.reuters.com/article/us-...arkmatter-after-reuters-reports-idUSKCN1UR5JD
But why they want so so sooooo badly to get that root CA issuer status? I mean can't you do damage also with rogue intermediate cert as with rogue root cert? After all, there has been..."accidents"...happened before in historywith intermediate certs too ... https://www.computerworld.com/artic...ty-issues-rogue-certs-for-google-domains.html That would explain why I can't see a single intermediate cert stored on my Linux box. Only 280 root certs, few of them expired and about ten owned by QuoVadis (cute, somebody knows Latin...) Why the mozilla not keep track of intermediate certs too? I mean, it's annoying as **** that I would have to visit and download every single of those over thousand of intermediate certs, put them to my store, go throught them and untrust fishy ones. There *must* be a intermediate cert list somewhere.... And I can't believe there is no easy way on Linux to list all those root certs in human readable form...so I made a small tool to list them. https://www.orwell1984.today/cname/QuoVadis.png After reading that EFF stuff and Protonmail stuff. I don't kno what to think. Maybe QuoVadis can be trusted or not. But dang...this cert system is totally a mess... And that security researcher in EFF stuff is right: telecom operators that sell spy boxes to dictator countries should not be allowed in cert business! https://www.orwell1984.today/cname/TeliaSonera.png
