GROWING FEARS
In 2017, DarkMatter applied on behalf of the UAE government for certificate authority. The company also applied to Mozilla to become a commercial certifier in its own right.
Following Reuters reports earlier this year, Mozilla executives began to fear that DarkMatter could use the authority to spy on users, a Mozilla executive said in the company’s public online forum.
Mozilla executives said rejecting an applicant on the basis of media reports was unprecedented. In past cases, Mozilla primarily relied on technical evidence to determine certification authority.
In Mozilla’s public discussion boards, DarkMatter executives and some security experts warned that relying on news articles to decide who can become a certificate authority would permanently taint the process with bias.
Mozilla’s stated concerns showed "a hidden organizational animus that is fatal to the idea of 'due process' and 'fundamental fairness,'” Benjamin Gabriel, general counsel for DarkMatter, wrote in the online forum.
In May, a DarkMatter executive said the company would move its certificate business to a new entity called DigitalTrust. That company would be controlled by a firm called DM Investments, which is owned by DarkMatter founder Faisal Al Bannai.
"This ownership structure does not assure me that these companies have the ability to operate independently, regardless of their names and legal structure," said Wayne Thayer, Mozilla's certification authority program manager, in his announcement on Tuesday.
Along with rejecting the UAE's application, Mozilla said it would block several other separate bids by DarkMatter to become a commercial certificate provider. Mozilla also said it would mark as unsafe the more than 275 websites DarkMatter had already certified under an earlier provisional authority that the company gained in 2017.
Mozilla noted that another UAE government entity called the Dubai Electronic Security Center still had a pending application to become a certificate authority, on which Mozilla had not yet made a decision.
While each browser company makes its own decisions about who it allows to become a certifying authority, Mozilla is seen as a leader in this area. Security experts say competitors, such as Google’s Chrome browser and Apple’s Safari browser, tend to follow its lead.
Thayer said in his announcement that even without a smoking gun that showed DarkMatter had misused certificates, the risks demonstrated by the reports were too great.
”While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users,” he said.
