A Google representative announced today plans to ban root certificates owned by an UAE-based company accused of selling surveillance tools and hacking services.
The ban will apply to Chrome and Android.
Once the ban enters into effect, HTTPS connections that have been encrypted and signed by TLS certificates sold or issued by DarkMatter will show security-related errors in the Chrome browser and Android applications.
Mozilla banned DarkMatter certs two weeks ago
Google’s decision was announced after DarkMatter applied to become an approved certificate authority (CA) and have its root certificate included in major browsers last year.
Mozilla declined DarkMatter’s request at the start of the month, citing fears that DarkMatter might abuse its inclusion in the Firefox certificate store (a certificate whitelist) to issue certificates to threat actors that may use them to snoop on users’ HTTPS traffic.
At the time, privacy advocates hailed Mozilla’s decision because the organization’s root certificate whitelist was also being used on some Linux distros, and not just Firefox.
Google follows suite
Today, Devon O’Brien, an engineer with the Chrome Security team, echoed Mozilla’s decision.
O’Brien said Google will decline to include DarkMatter root certificates inside Chrome and Android. Additionally, Google will also ban six intermediate certificates issued by QuoVadis, which DarkMatter was using as a temporary mechanism to issue TLS certificates to its current customers while the company was waiting for approval from Mozilla and Google.
“We anticipate these changes will be delivered via our existing in-band delivery mechanisms to clients and require no user action,” O’Brien said.
DarkMatter’s controversial past
DarkMatter is one of today’s most controversial cyber-security vendors. Reports from Reuters, the New York Times, The Intercept, and other sources have detailed surveillance operations that relied on DarkMatter’s technical support, and which targeted human rights activists, journalists, and foreign governments.
The reports claimed DarkMatter carried out some of these surveillance operations at the behest of the United Arab Emirates government.
DarkMatter contested the accuracy of these reports at the time they were published; however, Mozilla and Google appear to have ruled against the company, regardless.
A DarkMatter spokesperson did not reply a request for comment from ZDNet sent earlier today, nor did they respond to a request for comment we sent when Mozilla banned the company’s root certificates two weeks ago.
Google did not reply to additional questions from ZDNet following today’s official announcement.
Apple and Microsoft have been silent (as always)
Apple and Microsoft, the two other major browser vendors and OS vendors, have not made any public comments about their plans to support DarkMatter certificates.
However, in the past, the two companies have always been late in making such decisions, usually leaving Mozilla and Google reps to investigate and put out a plan of action. If history would be to repeat itself, Apple and Microsoft are likely to ban DarkMatter certs as well.
Related cybersecurity coverage: